1 2 3 Previous Next 34 Replies Latest reply on Sep 5, 2011 7:56 PM by afberendsen

    LDAP client with TLS

    807573
      LDAP gurus

      I'm having problems to setup LDAP client to use TLS:SIMPLE. SIMPLE and SASL/DIGEST-MD5 are working fine (with or without Proxy).

      For some reason, a self-certified certification is not acceptable by the client (TLS certificate verification: Error, self signed certificate).

      Certificate is located at /var/ldap/cert8.db
      Client is Sun LDAP Native.
      ________________________________________________
      [SunOS 5.10/bash] root@wgls01:/root
      # /usr/local/bin/ldapsearch -Z -H ldaps://wgtsinf01:1636 -v -d 65535
      ldap_initialize( ldaps://wgtsinf01:1636 )
      ldap_create
      ldap_url_parse_ext(ldaps://wgtsinf01:1636)
      ldap_extended_operation_s
      ldap_extended_operation
      ldap_send_initial_request
      ldap_new_connection 1 1 0
      ldap_int_open_connection
      ldap_connect_to_host: TCP wgtsinf01:1636
      ldap_new_socket: 4
      ldap_prepare_socket: 4
      ldap_connect_to_host: Trying 10.64.47.50:1636
      ldap_connect_timeout: fd: 4 tm: -1 async: 0
      TLS trace: SSL_connect:before/connect initialization
      tls_write: want=124, written=124
        0000:  80 7a 01 03 01 00 51 00  00 00 20 00 00 39 00 00   .z....Q... ..9..
        0010:  38 00 00 35 00 00 16 00  00 13 00 00 0a 07 00 c0   8..5............
        0020:  00 00 33 00 00 32 00 00  2f 00 00 07 05 00 80 03   ..3..2../.......
        0030:  00 80 00 00 05 00 00 04  01 00 80 00 00 15 00 00   ................
        0040:  12 00 00 09 06 00 40 00  00 14 00 00 11 00 00 08   ......@.........
        0050:  00 00 06 04 00 80 00 00  03 02 00 80 5b ca 46 06   ............[.F.
        0060:  60 e0 bc 9e a2 af 25 a2  55 0a 53 e7 f0 1a fc 6e   `.....%.U.S....n
        0070:  c6 7b de f1 79 7e b1 ce  15 14 1a 8e               .{..y~......
      TLS trace: SSL_connect:SSLv2/v3 write client hello A
      tls_read: want=7, got=7
        0000:  16 03 01 03 b3 02 00                               .......
      tls_read: want=945, got=945
        0000:  00 46 03 01 46 b2 73 ba  42 d1 b3 35 54 a1 26 f8   .F..F.s.B..5T.&.
        0010:  76 87 77 90 c1 92 c3 e4  88 a0 47 bc cc 52 01 bb   v.w.......G..R..
        0020:  34 85 b1 2d 20 46 b2 73  ba cd 16 16 a6 e6 9a a3   4..- F.s........
        0030:  c2 af 1b 60 ed e7 0d ad  32 69 0d c3 41 64 31 4e   ...`....2i..Ad1N
        0040:  3e ff bd c4 0a 00 16 00  0b 00 01 ae 00 01 ab 00   >...............
        0050:  01 a8 30 82 01 a4 30 82  01 0d 02 04 46 ad 48 df   ..0...0.....F.H.
        0060:  30 0d 06 09 2a 86 48 86  f7 0d 01 01 04 05 00 30   0...*.H........0
        0070:  19 31 17 30 15 06 03 55  04 03 13 0e 77 67 74 73   .1.0...U....wgts
        0080:  69 6e 66 30 31 3a 31 33  38 39 30 1e 17 0d 30 37   inf01:13890...07
        0090:  30 37 33 30 30 32 31 31  34 33 5a 17 0d 30 39 30   0730021143Z..090
        00a0:  37 32 39 30 32 31 31 34  33 5a 30 19 31 17 30 15   729021143Z0.1.0.
        00b0:  06 03 55 04 03 13 0e 77  67 74 73 69 6e 66 30 31   ..U....wgtsinf01
        00c0:  3a 31 33 38 39 30 81 9f  30 0d 06 09 2a 86 48 86   :13890..0...*.H.
        00d0:  f7 0d 01 01 01 05 00 03  81 8d 00 30 81 89 02 81   ...........0....
        00e0:  81 00 a9 f7 de 93 85 50  13 6b a1 18 96 3d 00 2d   .......P.k...=.-
        00f0:  64 5d a9 65 72 33 c3 44  b6 1e 0e 6b b8 4b e0 a4   d].er3.D...k.K..
        0100:  0a 6b 7f 4f 1a ae f3 d7  8e ed 8e fd c7 d0 48 b1   .k.O..........H.
        0110:  f0 45 2d 74 52 a9 d1 fd  d4 89 ad 64 d9 82 6b e9   .E-tR......d..k.
        0120:  73 b1 55 cb 38 20 06 e6  4f a3 d3 f2 0b a1 5b 2e   s.U.8 ..O.....[.
        0130:  b4 43 bc 9a 93 e6 b7 47  dd 58 f2 cb 59 17 8a c0   .C.....G.X..Y...
        0140:  13 aa 8a 5f ef 11 33 c7  02 53 d8 b1 20 e3 5b 6d   ..._..3..S.. .[m
        0150:  4f ea 4f a6 9d 02 d2 39  69 ed e0 b9 70 d9 51 50   O.O....9i...p.QP
        0160:  4e 2b 02 03 01 00 01 30  0d 06 09 2a 86 48 86 f7   N+.....0...*.H..
        0170:  0d 01 01 04 05 00 03 81  81 00 02 d6 e1 3d f7 41   .............=.A
        0180:  64 69 c5 f3 b7 77 93 99  10 80 4d aa b9 1f 7a 28   di...w....M...z(
        0190:  c2 33 4e 42 d2 47 7c 53  00 6e 7d 13 3b e3 56 19   .3NB.G|S.n}.;.V.
        01a0:  35 93 4b 6d cd 4c 52 57  aa ba e2 f6 e0 46 a4 f2   5.Km.LRW.....F..
        01b0:  5c a7 be be b2 40 6f 9a  33 f0 dc b5 de 55 3c 8e   \....@o.3....U<.
        01c0:  2a 19 15 eb 6c 6f 03 ef  a5 c1 01 e3 d6 10 b7 64   *...lo.........d
        01d0:  7d dd 24 87 60 a7 e3 5f  24 a1 ea 0a 66 fa d4 49   }.$.`.._$...f..I
        01e0:  71 65 21 53 94 ad be 0c  b9 52 b6 78 67 87 b8 38   qe!S.....R.xg..8
        01f0:  11 59 b2 47 b6 c9 23 f8  d8 cc 0c 00 01 89 00 80   .Y.G..#.........
        0200:  f4 88 fd 58 4e 49 db cd  20 b4 9d e4 91 07 36 6b   ...XNI.. .....6k
        0210:  33 6c 38 0d 45 1d 0f 7c  88 b3 1c 7c 5b 2d 8e f6   3l8.E..|...|[-..
        0220:  f3 c9 23 c0 43 f0 a5 5b  18 8d 8e bb 55 8c b8 5d   ..#.C..[....U..]
        0230:  38 d3 34 fd 7c 17 57 43  a3 1d 18 6c de 33 21 2c   8.4.|.WC...l.3!,
        0240:  b5 2a ff 3c e1 b1 29 40  18 11 8d 7c 84 a7 0a 72   .*.<..)@...|...r
        0250:  d6 86 c4 03 19 c8 07 29  7a ca 95 0c d9 96 9f ab   .......)z.......
        0260:  d0 0a 50 9b 02 46 d3 08  3d 66 a4 5d 41 9f 9c 7c   ..P..F..=f.]A..|
        0270:  bd 89 4b 22 19 26 ba ab  a2 5e c3 55 e9 2f 78 c7   ..K".&...^.U./x.
        0280:  00 01 02 00 80 7c 11 c6  db 8a 23 1b 2d a3 e3 5d   .....|....#.-..]
        0290:  f0 30 4c 20 35 c1 95 fc  71 eb c2 92 00 02 a9 05   .0L 5...q.......
        02a0:  c5 10 4e 75 ef ca 35 aa  bb 38 14 fa 38 c3 71 e4   ..Nu..5..8..8.q.
        02b0:  16 a4 87 d5 2f e7 a5 7c  b4 b8 a0 ee cf 53 ab c2   ..../..|.....S..
        02c0:  6b f4 79 59 d5 f9 07 70  77 97 89 eb b6 c6 74 df   k.yY...pw.....t.
        02d0:  26 57 5c 42 1a 95 13 e3  c5 28 b7 6c c2 6f 2e 65   &W\B.....(.l.o.e
        02e0:  5d c3 c8 a9 cf 8e 09 cc  aa 42 eb f7 a7 3b c3 5d   ]........B...;.]
        02f0:  be cd e3 71 2b 46 a2 80  72 a3 48 ae 52 b4 ce c2   ...q+F..r.H.R...
        0300:  69 1f 40 e7 94 00 80 03  b2 a4 66 2f 34 c1 60 46   i.@.......f/4.`F
        0310:  05 9d 83 7f f9 75 29 07  36 60 8b b0 ae 1c ce e8   .....u).6`......
        0320:  5f b4 0e 26 54 1c 31 b7  94 e2 58 6e 33 76 ce 19   _..&T.1...Xn3v..
        0330:  e0 07 f5 ca cc a9 d3 53  d5 22 4a 3a 31 15 f4 7e   .......S."J:1..~
        0340:  34 ba 3b 92 c0 ec 75 8e  0f d8 e4 44 23 91 70 cb   4.;...u....D#.p.
        0350:  d9 f9 40 ac 7c 0e 97 27  1d 24 b5 ff f2 13 bd 64   ..@.|..'.$.....d
        0360:  aa 10 40 1c 68 6f b2 87  14 c2 ef 88 bb 9c 88 24   ..@.ho.........$
        0370:  5f 6b 9e c5 2b fb c2 d1  b3 ce 6e 8d b7 57 bf 88   _k..+.....n..W..
        0380:  ee b9 fd d6 f3 a0 f3 0d  00 00 22 02 01 02 00 1d   ..........".....
        0390:  00 1b 30 19 31 17 30 15  06 03 55 04 03 13 0e 77   ..0.1.0...U....w
        03a0:  67 74 73 69 6e 66 30 31  3a 31 33 38 39 0e 00 00   gtsinf01:1389...
        03b0:  00                                                 .
      TLS trace: SSL_connect:SSLv3 read server hello A
      TLS certificate verification: depth: 0, err: 18, subject: /CN=wgtsinf01:1389, issuer: /CN=wgtsinf01:1389
      TLS certificate verification: Error, self signed certificate
      tls_write: want=7, written=7
        0000:  15 03 01 00 02 02 30                               ......0
      TLS trace: SSL3 alert write:fatal:unknown CA
      TLS trace: SSL_connect:error in SSLv3 read server certificate B
      TLS trace: SSL_connect:error in SSLv3 read server certificate B
      TLS: can't connect.
      ldap_perror
      ldap_start_tls: Can't contact LDAP server (-1)
              additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
      ldap_pvt_sasl_getmech
      ldap_search
      put_filter: "(objectclass=*)"
      put_filter: simple
      put_simple_filter: "objectclass=*"
      ldap_build_search_req ATTRS:
          supportedSASLMechanisms
      ldap_send_initial_request
      ldap_send_server_request
      ldap_perror
      ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
              additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
      Any ideas?

      Andreas
        • 1. Re: LDAP client with TLS
          807573
          For all my investigations, the error 19 is not an error and just a warning.
          The problem seems to be with (TLS trace: SSL3 alert write:fatal:unknown CA)
          Some relevant output:
          # certutil -L -d /var/ldap/
          wgtsinf01                                                    CT,,
          # certutil -L -d /var/ldap/ -n wgtsinf01
          Certificate:
          ...
                  Issuer: "CN=wgtsinf01.nz.thenational.com"
                  Validity:
                      Not Before: Fri Aug 03 04:34:30 2007
                      Not After : Sat Aug 02 04:34:30 2008
                  Subject: "CN=wgtsinf01.nz.thenational.com"
          ...
                      Name: Certificate Authority Key Identifier
                      Error: KeyID OR (Issuer AND Serial) must be present, not both.
                      Key ID:
                          66:af:07:3b:3d:a2:9e:23:18:a0:3c:64:cd:84:5d:2e:
                          68:5e:7c:24
                      Issuer:
                          Directory Name: "CN=wgtsinf01.nz.thenational.com"
                      Serial Number:
                          00:a0:60:d8:78:be:06:f2:c6
          ...
              Certificate Trust Flags:
                  SSL Flags:
                      Valid CA
                      Trusted CA
                      Trusted Client CA
                  Email Flags:
                  Object Signing Flags:
          
          # /usr/local/ssl/bin/openssl s_client -connect wgtsinf01:636 -showcerts
          CONNECTED(00000004)
          depth=1 /CN=BNZ CA
          verify error:num=19:self signed certificate in certificate chain
          verify return:0
          ---
          Certificate chain
           0 s:/CN=wgtsinf01.nz.thenational.com
             i:/CN=BNZ CA
          ...
           1 s:/CN=BNZ CA
             i:/CN=BNZ CA
          ...
          ---
          Server certificate
          subject=/CN=wgtsinf01.nz.thenational.com
          issuer=/CN=BNZ CA
          ---
          Acceptable client certificate CA names
          /CN=BNZ CA
          ---
          SSL handshake has read 1147 bytes and written 334 bytes
          ---
          New, TLSv1/SSLv3, Cipher is AES256-SHA
          Server public key is 1024 bit
          Compression: NONE
          Expansion: NONE
          SSL-Session:
              Protocol  : TLSv1
              Cipher    : AES256-SHA
              Session-ID: 066B87737F43DD09C252C5604863CC9B90B1822324F244FDDF1F0239BF8EE665
              Session-ID-ctx:
              Master-Key: 6CD4F48C76AACF7C1DEF944EF347888BD503FC7605F18CDFA74A39C687F56F563AB23D9A7436AA80E85ED4893DA6DD94
              Key-Arg   : None
              Start Time: 1186122729
              Timeout   : 300 (sec)
              Verify return code: 19 (self signed certificate in certificate chain)
          ---
          Any ideas?

          Andreas
          • 2. Re: LDAP client with TLS
            807573
            Hi,

            can you try executing:
            ldapsearch -v -h wgtsinf01.nz.thenational.com -p 1636 -Z -P /var/ldap/cert8.db -b "" -s base "objectclass=*" supportedSASLMechanisms
            It is important that you use exactly the same FQHN in your request then the one being found in the server certificate.

            regards
            David
            • 3. Re: LDAP client with TLS
              807573
              David,
              ________________________________________________
              [SunOS 5.9/bash] root@wgls02:/root
              # /usr/local/bin/ldapsearch -v -h wgtsinf01.nz.thenational.com -p 1636 -Z -P /var/ldap/cert8.db -b "" -s base "objectclass=*" supportedSASLMechanisms
              ldapsearch: unabel to parse protocol version "/var/ldap/cert8.db"
              Andreas
              • 4. Re: LDAP client with TLS
                807573
                Partially fixed.

                I was using OpenLDAP ldapsearch command and I forgot about ldap.conf
                TIMELIMIT       30
                bind_timelimit  30
                idle_timelimit  30
                URI             ldaps://wgtsinf01.nz.thenational.com:636
                SASL_MECH       simple
                ssl start_tls
                tls_cacertfile  /var/ldap/cacert.pem
                BASE            dc=nz,dc=thenational,dc=com
                SCOPE           one
                tls_reqcert never
                Now:
                ________________________________________________
                [SunOS 5.9/bash] root@wgls02:/root
                # /usr/local/bin/ldapsearch -H ldaps://wgtsinf01.nz.thenational.com:636 -Z  -b "dc=nz,dc=thenational,dc=com" -s sub  -x "(objectclass=*)"
                ldap_initialize( ldaps://wgtsinf01.nz.thenational.com:636 )
                ldap_start_tls: Operations error (1)
                        additional info: SSL connection already established.
                filter: (objectclass=*)
                requesting: All userApplication attributes
                # extended LDIF
                #
                # LDAPv3
                # base <dc=nz,dc=thenational,dc=com> with scope subtree
                # filter: (objectclass=*)
                # requesting: ALL
                #
                ...
                But Sun native client still is not working:
                ________________________________________________
                [SunOS 5.9/bash] root@wgls02:/root
                # ldapsearch -v -b "dc=nz,dc=thenational,dc=com" -s sub -h wgtsinf01.thenational.com -p 636 -M simple "(objectclass=*)"
                ldap_init( wgtsinf01.thenational.com, 636 )
                filter pattern: (objectclass=*)
                returning: ALL
                filter is: ((objectclass=*))
                ldap_search: Can't connect to the LDAP server
                ________________________________________________
                [SunOS 5.9/bash] root@wgls02:/root
                # ldapclient list
                NS_LDAP_FILE_VERSION= 2.0
                NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=nz,dc=thenational,dc=com
                NS_LDAP_BINDPASSWD= {NS1}41fa88f3a945c411
                NS_LDAP_SERVERS= wgtsinf01.nz.thenational.com, wgpsinf01.nz.thenational.com, akpsinf01.nz.thenational.com
                NS_LDAP_SEARCH_BASEDN= dc=nz,dc=thenational,dc=com
                NS_LDAP_AUTH= tls:simple
                NS_LDAP_SEARCH_SCOPE= one
                NS_LDAP_SERVER_PREF= wgtsinf01
                NS_LDAP_CREDENTIAL_LEVEL= anonymous
                NS_LDAP_SERVICE_SEARCH_DESC= netgroup:ou=netgroup,dc=nz,dc=thenational,dc=com?one
                NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=nz,dc=thenational,dc=com?one
                NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=nz,dc=thenational,dc=com?one
                NS_LDAP_SERVICE_SEARCH_DESC= group:ou=group,dc=nz,dc=thenational,dc=com?one
                NS_LDAP_BIND_TIME= 30
                Any ideas?

                Andreas
                • 5. Re: LDAP client with TLS
                  807573
                  I'm not very experienced with the openldap ldapsearch command. I could setup all my Solaris Servers as LDAP clients against a Sun Directory Server though (Sol 8,9 & 10). The setup of the LDAP client should work against Open LDAP also.. Are you using an OpenLDAP Server or Sun DS?

                  In your first post you were using Solaris 10. Unfortunately for Solaris 8 and 9 ldapsearch doesnt know the -P option, hence its not possible to test ssl connections. The -P option is used to specify the location of the certificate database - you need that to test ssl connections with ldapsearch.
                  I was lucky - my Sun DS is installed on Solaris 9. So I could use the ldapsearch delivered with DS:
                  LD_LIBRARY_PATH=/var/opt/mps/serverroot/lib/ \
                  /var/opt/mps/serverroot/shared/bin/ldapsearch -v -h ldap_server -p 636 -Z \
                  -P /var/ldap/cert8.db -b "" -s base "objectclass=*" namingContexts
                  Why are you running simple authentication (-M simple) against port 636? That will never work!

                  You can run unencrypted connections, right?:
                  ldapsearch -v -h wgtsinf01.nz.thenational.com -b "" -s base "objectclass=*" namingContexts
                  Your /usr/local/bin/ldapsearch - I assume this is from openldap - said: "SSL connection already established.". I think I read somewhere, that Sun DS does not support Start-TLS. Is it correct, that this command was working correctly?

                  Maybe just change your Prefered Server from "wgtsinf01" to "wgtsinf01.nz.thenational.com"?

                  Message was edited by:
                  DavidSchulz
                  • 6. Re: LDAP client with TLS
                    807573
                    David,

                    1.For my understanding, TLS and SASL works on different levels. TLS is used to encrypt the communication between the client and the server and SASL is used to encrypt the authentication mechanism. I suppose this is true because we can have TSL:SIMPLE and TLS:SASL/DIGEST-MD5.

                    2. This is a test environment (proof of concept) and I have sun boxes with Solaris 10,9,8,7,6 as clients and a DSEE6.1 running on top of a sun Solaris 9. I know that Solaris 6 and 7 does not have support for Sun native LDAP client and I'm testing the viability of using OpenLDAP.

                    3. OpenLDAP uses a different configuration file (name and format). I'm using both implementations to test the connectivity between the client and the server. OpenLDAP uses /usr/local/etc/openldap/ldap.conf and Sun native LDAP client uses /var/ldap/*. The contents of my OpenLDAP conf file is:
                    timelimit       30
                    bind_timelimit  30
                    idle_timelimit  30
                    base            dc=nz,dc=thenational,dc=com
                    scope           one
                    binddn          cn=proxyagent,ou=profile,dc=nz,dc=thenational,dc=com
                    bindpw          Password
                    ldap_version    3
                    
                    #--- Used by sudo
                    sudoers_base    ou=SUDOers,dc=nz,dc=thenational,dc=com
                    sudoers_debug   2
                    sasl_mech       simple
                    #----- LDAP TLS configuration
                    uri             ldaps://wgtsinf01:636
                    tls_certificate /var/ldap/cacert.pem
                    tls_reqcert     never
                    As you can see from this file, I'm using LDAPS with port 636. The command I used to test this configuration file is below.
                    # /usr/local/bin/ldapsearch  -b "dc=nz,dc=thenational,dc=com" -x -vvv -d 65535  dap_initialize( <DEFAULT> )
                    ldap_create
                    ldap_bind
                    ldap_simple_bind
                    ldap_sasl_bind
                    ldap_send_initial_request
                    ldap_new_connection 1 1 0
                    ldap_int_open_connection
                    ldap_connect_to_host: TCP wgtsinf01:636
                    ldap_new_socket: 4
                    ldap_prepare_socket: 4
                    ldap_connect_to_host: Trying 10.64.47.50:636
                    ldap_connect_timeout: fd: 4 tm: -1 async: 0
                    TLS trace: SSL_connect:before/connect initialization
                    tls_write: want=124, written=124
                    ...
                    TLS trace: SSL_connect:SSLv3 read server hello A
                    TLS certificate verification: depth: 1, err: 19, subject: /C=NZ/ST=NI/L=Andreas Berendsen/O=Bank of New Zealand/OU=BTS/CN=BNZ_CA, issuer: /C=NZ/ST=NI/L=And
                    reas Berendsen/O=Bank of New Zealand/OU=BTS/CN=BNZ_CA
                    TLS certificate verification: Error, self signed certificate in certificate chain
                    TLS trace: SSL_connect:SSLv3 read server certificate A
                    TLS trace: SSL_connect:SSLv3 read server certificate request A
                    TLS trace: SSL_connect:SSLv3 read server done A
                    TLS trace: SSL_connect:SSLv3 write client certificate A
                    TLS trace: SSL_connect:SSLv3 write client key exchange A
                    TLS trace: SSL_connect:SSLv3 write change cipher spec A
                    TLS trace: SSL_connect:SSLv3 write finished A
                    ...
                    If I'm reading this output correctly, the connection is using both TLS and SIMPLE.

                    4. Sun Native LDAP client uses /var/ldap* and you can see the contents below.
                    ________________________________________________
                    [SunOS 5.9/bash] root@wgls02:/root
                    # ldapclient list
                    NS_LDAP_FILE_VERSION= 2.0
                    NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=nz,dc=thenational,dc=com
                    NS_LDAP_BINDPASSWD= {NS1}41fa88f3a945c411
                    NS_LDAP_SERVERS= wgtsinf01.nz.thenational.com, wgpsinf01.nz.thenational.com, akpsinf01.nz.thenational.com
                    NS_LDAP_SEARCH_BASEDN= dc=nz,dc=thenational,dc=com
                    NS_LDAP_AUTH= tls:simple
                    NS_LDAP_SEARCH_SCOPE= one
                    NS_LDAP_SERVER_PREF= wgtsinf01.nz.thenational.com
                    NS_LDAP_CREDENTIAL_LEVEL= anonymous
                    NS_LDAP_SERVICE_SEARCH_DESC= netgroup:ou=netgroup,dc=nz,dc=thenational,dc=com?one
                    NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=nz,dc=thenational,dc=com?one
                    NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=nz,dc=thenational,dc=com?one
                    NS_LDAP_SERVICE_SEARCH_DESC= group:ou=group,dc=nz,dc=thenational,dc=com?one
                    NS_LDAP_BIND_TIME= 30
                    4.1. Sun native LDAP client ldaplist program, which always use SIMPLE, is working:
                    ________________________________________________
                    [SunOS 5.9/bash] root@wgls02:/root
                    # ldaplist
                    dn: ou=SolarisProfAttr,dc=nz,dc=thenational,dc=com
                    
                    dn: ou=Timezone,dc=nz,dc=thenational,dc=com
                    ...
                    4.2. Now the strange behavior. Sun native LDAP client ldapsearch seems to not uses the configuration file. From the output below you can see that it is using SIMPLE as well.
                    ________________________________________________
                    [SunOS 5.9/bash] root@wgls02:/root
                    # /usr/bin/ldapsearch -b "" -v "(objectclass=*)"
                    ldap_init( localhost, 389 )
                    filter pattern: (objectclass=*)
                    returning: ALL
                    filter is: ((objectclass=*))
                    ldap_search: Can't connect to the LDAP server
                    The solution is to force host/port but...the tools is not using TLS:
                    ________________________________________________
                    [SunOS 5.9/bash] root@wgls02:/root
                    # /usr/bin/ldapsearch -b "" -v -h wgtsinf01.nz.thenational.com -p 636  "(objectclass=*)"
                    ldap_init( wgtsinf01.nz.thenational.com, 636 )
                    filter pattern: (objectclass=*)
                    returning: ALL
                    filter is: ((objectclass=*))
                    ^C
                    4.3. As this tool does not support TLS from the command line (at least in Solaris 8 and 9) I can't test this correctly. Using Solaris 10, after configuring for TLS, I'm able to login but native ldapsearch is not working.
                    ________________________________________________
                    [SunOS 5.10/bash] root@wgls01:/root
                    # ldapclient list
                    NS_LDAP_FILE_VERSION= 2.0
                    NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=nz,dc=thenational,dc=com
                    NS_LDAP_BINDPASSWD= {NS1}41fa88f3a945c411
                    NS_LDAP_SERVERS= wgtsinf01.nz.thenational.com, wgpsinf01.nz.thenational.com, akpsinf01.nz.thenational.com
                    NS_LDAP_SEARCH_BASEDN= dc=nz,dc=thenational,dc=com
                    NS_LDAP_AUTH= tls:simple
                    NS_LDAP_SEARCH_SCOPE= one
                    NS_LDAP_SERVER_PREF= wgtsinf01.nz.thenational.com
                    NS_LDAP_CACHETTL= 0
                    NS_LDAP_CREDENTIAL_LEVEL= anonymous
                    NS_LDAP_SERVICE_SEARCH_DESC= netgroup:ou=netgroup,dc=nz,dc=thenational,dc=com?one
                    NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=nz,dc=thenational,dc=com?one
                    NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=nz,dc=thenational,dc=com?one
                    NS_LDAP_SERVICE_SEARCH_DESC= group:ou=group,dc=nz,dc=thenational,dc=com?one
                    NS_LDAP_BIND_TIME= 30
                    ________________________________________________
                    [SunOS 5.10/bash] root@wgls01:/root
                    # ls -la /var/ldap/*db
                    -rw-r--r--   1 root     root       65536 Aug  8 08:41 /var/ldap/cert8.db
                    -rw-r--r--   1 root     root       32768 Aug  8 08:41 /var/ldap/key3.db
                    -rw-r--r--   1 root     root       32768 Aug  2 16:56 /var/ldap/secmod.db
                    
                    ________________________________________________
                    [SunOS 5.10/bash] root@wgls01:/root
                    # /usr/bin/ldapsearch -h wgtsinf01.nz.thenational.com -p 636 -P /var/ldap -b "" -v -Z -s base -d 65535 "(objectclass=*)"
                    compile with -DLDAP_DEBUG for debugging
                    ldapsearch: started Wed Aug  8 08:48:26 2007
                    
                    ldap_init( wgtsinf01.nz.thenational.com, 636 )
                    filter pattern: (objectclass=*)
                    returning: ALL
                    filter is: (objectclass=*)
                    ldap_search: Can't contact LDAP server
                    4.4. From this behavior I'm not sure if Solaris 10 is really using TLS to authenticate the user accounts during the login process. If native ldapsearch is not working with TLS, I assume that the authentication process is not using TLS as well. I do not know how to test this so I have to assume that PAM LDAP library is using TLS as pointed by my LDAP configuration files.

                    Cheers,
                    Andreas
                    • 7. Re: LDAP client with TLS
                      807573
                      ------------------------------------------------------------------------------
                      # Working configurations:
                      #                                                                ldapsearch
                      #                             Auth            Channel login sudo DS  Native Open
                      #       LDAP connectivity withouth proxy
                      #               Solaris 10 => simple          clear   yes   yes  yes yes    yes
                      #                             sasl/digest-md5 clear   yes   yes  yes yes    no
                      #                             simple          TLS     no    n/a  no  no     yes
                      #                             simple          tls     no    no   no  no     no
                      #               Solaris 9  => simple          clear   yes   yes  yes yes    yes
                      #                             sasl/digest-md5 clear   yes   yes  yes        no
                      #                             simple          TLS     no    n/a  no  no     yes
                      #                             sasl/digest-md5 tls     no    no   no  no     no
                      #               Solaris 8  => simple          clear   yes   yes  yes n/a    yes
                      #                             sasl/digest-md5 clear   yes   yes  yes n/a    no
                      #                             simple          tls     no    no   no  no     no
                      #                             sasl/digest-md5 tls     no    no   no  no     no
                      #       LDAP connectivity with proxy
                      #               Solaris 10 => simple          clear   yes   yes  yes yes    yes
                      #                             sasl/digest-md5 clear   no    no   no  yes    no
                      #                             simple          tls     no    no   no  no     no
                      #                             sasl/digest-md5 tls     no    no   no  no     no
                      #               Solaris 9  => simple          clear   yes   yes  yes yes    yes
                      #                             sasl/digest-md5 clear   no    no   no  yes    no
                      #                             simple          tls     no    no   no  no     no
                      #                             sasl/digest-md5 tls     no    no   no  no     no
                      #               Solaris 8  => simple          clear   yes   yes  yes yes    yes
                      #                             sasl/digest-md5 clear   no    no   no  n/a    no
                      #                             simple          tls     no    no   no  no     no
                      #                             sasl/digest-md5 tls     no    no   no  no     no
                      #-------------------------------------------------------------------------------
                      • 8. Re: LDAP client with TLS
                        807573
                        Hi Andreas,

                        1. You got me on this.. Im not sure what the difference between those two is.. But you can check what is encrypted by looking at your Directory Server logfile, while making queries:
                        on your Directory Server do:
                        bash-3.00# cd /var/opt/SUNWdsee/dsins1/logs/
                        bash-3.00# tail -f access
                        [08/Aug/2007:08:13:32 +0200] conn=943 op=-1 msgId=-1 - fd=136 slot=136 LDAP connection from 192.168.xxx.xxx to 192.168.xxx.xxx
                        [08/Aug/2007:08:13:32 +0200] conn=943 op=0 msgId=1 - SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedSASLMechanisms"
                        [08/Aug/2007:08:13:32 +0200] conn=943 op=0 msgId=1 - RESULT err=0 tag=101 nentries=1 etime=0
                        [..]
                        [08/Aug/2007:09:23:55 +0200] conn=944 op=-1 msgId=-1 - fd=136 slot=136 LDAPS connection from 192.168.xxx.xxx to 192.168.xxx.xxx
                        [08/Aug/2007:09:23:55 +0200] conn=944 op=-1 msgId=-1 - SSL 128-bit RC4
                        [08/Aug/2007:09:23:55 +0200] conn=944 op=0 msgId=1 - BIND dn="cn=proxyagent,ou=profile,dc=x,dc=x,dc=x" method=128 version=3
                        [08/Aug/2007:09:23:55 +0200] conn=944 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=x,dc=x,dc=x"
                        [08/Aug/2007:09:23:55 +0200] conn=944 op=1 msgId=2 - SRCH base="ou=hosts,dc=x,dc=x,dc=x" scope=1 filter="(&(objectClass=ipHost)(ipHostNumber=192.168.xxx.xxx))" attrs="cn ipHostNumber"
                        [08/Aug/2007:09:23:55 +0200] conn=944 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0
                        [08/Aug/2007:09:23:55 +0200] conn=944 op=2 msgId=3 - UNBIND
                        If there are a lot of queries you might grep for your IP and afterwards grep for the connection id (conn=943 and the like).
                        There are two interesting connections for me:
                        -conn=943: An unencrypted LDAP connection (recognized in log by the words "LDAP connection") to ask for the supported connection methods. I think its normal, that this is unencrypted.

                        -conn=944: An encrypted connection (recognized in log by the words "LDAPS connection") for the real query.

                        Please check your log, while doing an encrypted query to see what it says. You could also check it while logging in to your system.

                        3. The Solaris native LDAP-client uses /var/ldap/* - correct. But the native ldapsearch tool, does not seam to look into that directory. I always have to use -h -p -P to get a working query. Anyway, when I use native ldapsearch with these options it works. And then everything else (su, getent passwd, id, ..) works too!

                        4.2 Yes, I experienced that too. native ldapsearch is not using /var/ldap/* without telling it to.

                        4.3 Ok, first lets deal with Solaris 10, this should be easy to setup:
                        -Your ldapclient list report looks good.
                        -My ownership in /var/ldap is:
                        root@vts4:/# ls -l /var/ldap/*db
                        -rw-r--r--   1 root     root       65536 May  8 11:25 /var/ldap/cert8.db
                        -rw-r--r--   1 root     root       32768 May  8 11:25 /var/ldap/key3.db
                        -rw-------   1 root     root       32768 Apr 26 11:00 /var/ldap/secmod.db
                        I'm not sure if it is important, but my secmod.db is not world and group readable.

                        -Please watch your Directory Server access log (like above) and do the following on your Sol10 client:
                        root@vts4:/# tail -f /var/adm/messages &
                        [1] 4848
                        root@vts4:/# /usr/bin/ldapsearch -h wgtsinf01.nz.thenational.com -p 636 -P /var/ldap -b "" -v -Z -s base -d 65535 "(objectclass=*)"
                        Lets see if there is any error.. There should be something in your syslog saying "libsldap: Status: * Mesg: .." or so..

                        If so, check if your ca and server certificates are valid. Valid dates, valid hostname.. Did you do a Request from the Directory Server and then sign your certificate with your CA certificate?

                        regards
                        • 9. Re: LDAP client with TLS
                          807573
                          Hello David,

                          Let's follow your suggestion and try to put Solaris 10 use TLS:SIMPLE now. Sorry for the extreme long log entries but I tried to capture everything during the authentication process.

                          My client has an IP address of 10.64.47.11 and the DS server is using the IP address of 10.64.47.50.

                          a) Sun native LDAP configurations:
                          ________________________________________________
                          [SunOS 5.10/bash] root@wgls01:/var/ldap
                          # ls -la *db
                          -rw-r--r--   1 root     root       65536 Aug  8 14:46 cert8.db
                          -rw-r--r--   1 root     root       32768 Aug  8 14:46 key3.db
                          -rw-------   1 root     root       32768 Aug  2 16:56 secmod.db
                          ________________________________________________
                          [SunOS 5.10/bash] root@wgls01:/var/ldap
                          # ldapclient list
                          NS_LDAP_FILE_VERSION= 2.0
                          NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=nz,dc=thenational,dc=com
                          NS_LDAP_BINDPASSWD= {NS1}41fa88f3a945c411
                          NS_LDAP_SERVERS= wgtsinf01.nz.thenational.com
                          NS_LDAP_SEARCH_BASEDN= dc=nz,dc=thenational,dc=com
                          NS_LDAP_AUTH= tls:simple
                          NS_LDAP_SEARCH_SCOPE= one
                          NS_LDAP_SERVER_PREF= wgtsinf01.nz.thenational.com
                          NS_LDAP_CACHETTL= 0
                          NS_LDAP_CREDENTIAL_LEVEL= anonymous
                          NS_LDAP_SERVICE_SEARCH_DESC= netgroup:ou=netgroup,dc=nz,dc=thenational,dc=com?one
                          NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=nz,dc=thenational,dc=com?one
                          NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=nz,dc=thenational,dc=com?one
                          NS_LDAP_SERVICE_SEARCH_DESC= group:ou=group,dc=nz,dc=thenational,dc=com?one
                          NS_LDAP_BIND_TIME= 30
                          b) Output from DSEE6.1 error log file:
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  SRCH base="ou=Hosts,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=ipHost)(ipHostNumber=10.64.47.58))" attrs="cn ipHostNumber"
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : nz
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0xb
                          [13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2002
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : nz
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  SRCH base="ou=Hosts,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=ipHost)(ipHostNumber=10.64.47.58))" attrs="cn ipHostNumber"
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : nz
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0xb
                          [13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2002
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : nz
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : nz
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
                          [13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : nz
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  SRCH base="ou=group,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixGroup)(memberUid=p642929))" attrs="cn gidNumber userPassword memberUid"
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : nz
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x1000
                          [13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2002
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : nz
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  SRCH base="" scope=0 deref=0 sizelimit=0 timelimit=5 attrsonly=0 filter="(|(objectClass=*)(objectClass=ldapSubEntry))" attrs="1.1"
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : frontend-internal
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : frontend-internal
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=shadowAccount)(uid=p642929))" attrs="uid userPassword shadowFlag"
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : nz
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
                          [13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : frontend-internal
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : nz
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : frontend-internal
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : nz
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
                          [13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : nz
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : nz
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
                          [13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : nz
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=shadowAccount)(uid=p642929))" attrs="uid userPassword shadowFlag"
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : nz
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
                          [13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : nz
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : nz
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
                          [13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : nz
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=shadowAccount)(uid=p642929))" attrs="uid userPassword shadowFlag"
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : nz
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
                          [13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : nz
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs=ALL
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : nz
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
                          [13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -  cos_cache_vattr_types: failed to get class of service reference
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : nz
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  SRCH base="" scope=0 deref=0 sizelimit=0 timelimit=30 attrsonly=0 filter="(objectClass=*)" attrs="supportedControl supportedSASLMechanisms"
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : frontend-internal
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : frontend-internal
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : frontend-internal
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : frontend-internal
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : nz
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
                          [13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : nz
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : nz
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
                          [13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : nz
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=shadowAccount)(uid=p642929))" attrs="uid userPassword shadowFlag"
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : nz
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
                          [13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : nz
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : nz
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
                          [13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : nz
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=shadowAccount)(uid=p642929))" attrs="uid userPassword shadowFlag"
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : nz
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
                          [13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : nz
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs=ALL
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : nz
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
                          [13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
                          [13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -  cos_cache_vattr_types: failed to get class of service reference
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : nz
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:56 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  SRCH base="" scope=0 deref=0 sizelimit=0 timelimit=30 attrsonly=0 filter="(objectClass=*)" attrs="supportedControl supportedSASLMechanisms"
                          [13/Aug/2007:12:00:56 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : frontend-internal
                          [13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:56 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree selected backend : frontend-internal
                          [13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter
                          [13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter(-1)
                          [13/Aug/2007:12:00:56 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : frontend-internal
                          [13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  <= roles_filter_rewriter_cleanup
                          [13/Aug/2007:12:00:56 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 -  mapping tree release backend : frontend-internal
                          [13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 -  => roles_filter_rewriter_cleanup
                          [13                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
                          • 10. Re: LDAP client with TLS
                            807573
                            Hi,

                            in your access log:
                            [13/Aug/2007:12:01:00 +1200] conn=6944 op=-1 msgId=-1 - fd=38 slot=38 LDAPS connection from 10.64.47.11:35043 to 10.64.47.50
                            [13/Aug/2007:12:01:00 +1200] conn=6944 op=0 msgId=-1 - closing from 10.64.47.11:35043 - B4 - Server failed to flush BER data back to client -
                            [13/Aug/2007:12:01:00 +1200] conn=6944 op=-1 msgId=-1 - closed.
                            now we need to find out why the "Server failed to flush BER data back to client". I have never seen this message before..

                            I am also wondering, why the ldap client 10.64.47.11 is making a plenty of unencrypted LDAP connections. It is configured to do tls:simple only. In my case there are only LDAPS entries in the log.. Is there an other application running on the client, which does these queries? Maybe Messaging Server or the like? But the query involves hosts, people and groups - very strange.. This is usually what the system needs when you log on or execute "getent hosts" and so on..

                            But again: How did you create your server certificate? Did you use the standard one which is created during installation? I have no experience using this certificate. What did is:
                            1. created a CA with certutil
                            2. made a certificate request with DS
                            3. signed that request with my CA
                            4. imported the signed certificate in DS
                            5. placed my CA-certificate on the client

                            This is the only way how I could get it to work! I could post the commands to do the certutil stuff if needed..

                            Another thought:
                            Is it possible that a firewall is blocking the connection from 10.64.47.50:636 to 10.64.47.11:35043 ?

                            regards
                            David

                            Message was edited by:
                            DavidSchulz
                            • 11. Re: LDAP client with TLS
                              807573
                              Hello David

                              Googling around, I found a page (http://docs.sun.com/source/817-7616/fileref.html) which describe the B4 error as �This code can occur when the client closes the connection to the server, before the server finished sending data to the client.�. No idea how this can be acomplished

                              The contents from the log files above are from a ssh login session.

                              Below is the script I created to manage this certificate creation steps....
                              # cat DsCreateCert
                              #!/bin/ksh -a
                              
                              # If the following flag is set to 1, certutil will be used. If set to 0, openssl will be used
                              flagUseCertutil=1
                              
                              # DER: a binary format
                              # PEM: base-64 encoded DER format with header and footer
                              # certutil: Default is DER. For PEM, use "-a"
                              # openssl: Default is PEM. For DER, use "-inform DER" and/or "-outform DER"
                              flagUseDer=0
                              flagUsePem=1
                              
                              openSslPath=/usr/local/ssl
                              SSL=${openSslPath}/bin/openssl
                              CERT=/usr/sfw/bin/certutil
                              PK12=/usr/sfw/bin/pk12util
                              
                              # Fake CA (Certification Authority) database
                              caDbPath=/store/bnz/cacertdb
                              caId="ca-"
                              caDbId="-d ${caDbPath} -P ${caId}"
                              
                              # LDAP server certification database
                              serverRoot="/var/ldap_data_files/ds"
                              serverDbPrefix="slapd-"
                              serverDbPath="${serverRoot}/alias"
                              serverDbId="-d ${serverDbPath} -P ${serverDbPrefix}"
                              
                              # Certificate
                              subjectSuffix="ou=BTS,o=Bank of New Zealand,l=Andreas Berendsen,st=NI,c=NZ"
                              subjectCA="cn=BNZ_CA,${subjectSuffix}"
                              subjectCert="cn=$(hostname).$(domainname),${subjectSuffix}"
                              
                              #===============================================================================
                              #===============================================================================
                              ShowChapter() {
                              echo "
                              ********************************************************************************
                              * ${1}
                              ********************************************************************************
                              "
                              }
                              
                              #===============================================================================
                              #===============================================================================
                              ShowStep() {
                              echo "+------------------------------------------------------------------------"
                              while [[ "${1}" != "" ]]; do
                                echo "| ${1}"
                                shift
                              done
                              echo "+------------------------------------------------------------------------"
                              }
                              
                              #===============================================================================
                              #===============================================================================
                              rm -rf /store/bnz/cacertdb
                              #rm -rf /store/bnz/cacertdb ${serverDbPath}/${serverDbPrefix}*.db
                              
                              ShowChapter "Checking NSS database password protection"
                              if [[ $( echo $(dsadm get-flags ${serverRoot} | grep cert-pwd-prompt|cut -d':' -f2) ) = off ]]; then
                                ShowStep "Stooping DS"
                                dsadm stop ${serverRoot}
                                ShowStep "Setting NSS database password" \
                                         " " \
                                         "At prompt 'Choose the new certificate database password:', type password" \
                                         "At prompt 'Confirm the new certificate database password:', type password"
                                dsadm set-flags ${serverRoot} cert-pwd-prompt=on
                                echo "Internal (Software) Token:password" > ${serverDbPath}/${serverDbPrefix}pin.txt
                                chmod 400 ${serverDbPath}/${serverDbPrefix}pin.txt
                                ShowStep "Starting DS" \
                                         " " \
                                         "At prompt 'Enter PIN fro Internal (Software) Token', type password"
                                dsadm start ${serverRoot} 2>/dev/null
                              fi
                              
                              ShowChapter "NSS database clean-up"
                              certutil -L ${serverDbId}|grep -v "defaultCert"|cut -d' ' -f1|while read certName; do
                                echo "----- Removing certificate ${certName}"
                                certutil -D ${serverDbId} -n ${certName}
                              done
                              
                              #-----
                              #----- Prepare Test Certification Authority (CA) environment
                              #-----
                              if [[ ! -e ${caDbPath}/ca-cert8.db ]]; then
                                ShowChapter "Creating CA environment and database"
                                if [[ ${flagUseCertutil} -eq 0 ]]; then
                                  #.....................................................................
                                  # Using OpenSSL to create CA database
                                  #.....................................................................
                                  if [[ $( grep -c "${caDbPath}" ${openSslPath}/misc/CA.pl ) -eq 0 ]]; then
                                    ShowStep "Updating ${openSslPath}/misc/CA.pl"
                                    [[ -e ${openSslPath}/misc/CA.pl ]] && cp ${openSslPath}/misc/CA.pl ${openSslPath}/misc/CA.pl.backup.$$
                                    sed -e "/^$CATOP=/s_=.*$_=\"${caDbPath}\";_" ${openSslPath}/misc/CA.pl.backup.$$ > ${openSslPath}/misc/CA.pl
                                  fi
                              
                                  if [[ $( grep -c "${caDbPath}" ${openSslPath}/openssl.cnf ) -eq 0 ]]; then
                                    ShowStep "Updating ${openSslPath}/openssl.cnf"
                                    [[ -e ${openSslPath}/openssl.cnf ]] && cp ${openSslPath}/openssl.cnf ${openSslPath}/openssl.cnf.backup.$$
                                    sed "/^dir/s_=.*$_=${caDbPath}_" ${openSslPath}/openssl.cnf.backup.$$ > ${openSslPath}/openssl.cnf
                                  fi
                              
                                  ShowStep "Creating CA directory structure at ${caDbPath}" \
                                           " " \
                                           "At prompt 'CA certificate filename (or enter to create)' press ENTER" \
                                           "At prompt 'Enter PEM pass phrase:', type password" \
                                           "At prompt 'Verifying - Enter PEM pass phrase:' type password"\
                                           "At subsequente prompts, press ENTER"
                              
                                  perl ${openSslPath}/misc/CA.pl -newca
                                else
                                  #.....................................................................
                                  # Using certutil to create CA database
                                  #.....................................................................
                                  [[ ! -e ${caDbPath} ]] && mkdir ${caDbPath}
                                  cd ${caDbPath}
                              
                                  ShowStep "Create CA certificate DB" \
                                           " " \
                                           "At prompt 'Enter new password:' type password" \
                                           "At prompt 'Re-enter password:' type password"
                              
                                  ${CERT} -N ${caDbId}
                              
                                  ShowStep "Create a self-signed CA certificate" \
                                           " " \
                                           "At prompt 'Enter Password or Pin for \"NSS Certificate DB\":' type password" \
                                           "After the key creation is finished, choose option 5 and then 9" \
                                           "At prompt 'Is this a critical extension [y/N]?', type Y"
                              
                                  ${CERT} -S ${caDbId} -x -n "ca-cert" -s "${subjectCA}" -t CTPu -v 120 -5
                              
                                  if [[ ${flagUsePem} -eq 1 ]]; then
                                    #..................................................export CA in text (PEM)
                                    ShowStep "Export the CA cert into an output file in PEM format" \
                                             "" \
                                             "At prompt 'Enter Password or Pin for \"NSS Certificate DB\":', type password" \
                                             "At subsequent prompts, simply press ENTER and accept the default values"
                                    ${CERT} -L ${caDbId} -n "ca-cert" -a > cacert.pem
                                  fi
                                  if [[ ${flagUseDer} -eq 1 ]]; then
                                    #................................................export CA in binary (DER)
                                    ShowStep "Export the CA cert into an output file in DER format" \
                                             "" \
                                             "At prompt 'Enter Password or Pin for \"NSS Certificate DB\":', type password" \
                                             "At subsequent prompts, simply press ENTER and accept the default values"
                                    ${CERT} -L ${caDbId} -n "ca-cert" > cacert.der
                                  fi
                                fi
                              fi
                              
                              
                              #-----
                              #----- Create NSS DB for Directory Server
                              #-----
                              #       This block needs to be adjusted to use currect directory (DS) server database
                              ShowChapter "Create NSS DB for Directory Server"
                              if [[ ! -e ${serverDbPath}/${serverDbPrefix}cert8.db ]]; then
                                ${CERT} -N ${serverDbId}
                              else
                                echo "***** Database already craeted. Nothing to do"
                              fi
                              
                              #------
                              #----- Generate Certificate Signing Request (CSR) for server cert
                              #-----
                              ShowChapter "Generate Certificate Signing Request (CSR) for server cert"
                              if [[ ${flagUseCertutil} -eq 1 ]]; then
                                ShowStep "At prompt 'Enter Password or Pin for \"NSS Certificate DB\":', type password"
                                [[ ${flagUseDer} -eq 1 ]] && ${CERT} -R ${serverDbId} -s "${subjectCert}" -o DER.csr
                                [[ ${flagUsePem} -eq 1 ]] && ${CERT} -R ${serverDbId} -s "${subjectCert}" -o PEM.csr -a
                              else
                                ShowStep "Generate 2048-bit RSA private key"
                                ${SSL} genrsa -out privkey.pem 2048
                              
                                ShowStep "Generate the certificate request" \
                                         " " \
                                         "At all prompts, press ENTER to accept the default value"
                                ${SSL} req -new -key privkey.pem -out PEM.csr
                              
                                ShowStep "Display the content and public key from the certificate request"
                                ${SSL} req -in PEM.csr -text -pubkey
                              fi
                              
                              #-----
                              #----- Sign CSR using Fake CA
                              #-----
                              ShowChapter "Sign CSR using Fake CA"
                              
                              if [[ ${flagUseCertutil} -eq 1 ]]; then
                                if [[ ${flagUseDer} -eq 1 ]]; then
                                  ShowStep "Sign DER CSR" \
                                           "" \
                                           "After the key creation is finished, choose option 5 and then 9" \
                                           "At prompt 'Is this a critical extension [y/N]?', type Y" \
                                           "At prompt 'Enter Password or Pin for \"NSS Certificate DB\":' type password"
                                  ${CERT} -C ${caDbId} -c "ca-cert" -i DER.csr -o ./cert.der -v 12 -5
                                fi
                              
                                if [[ ${flagUsePem} -eq 1 ]]; then
                                  ShowStep "Sign PEM CSR" \
                                           "" \
                                           "After the key creation is finished, choose option 5 and then 9" \
                                           "At prompt 'Is this a critical extension [y/N]?', type Y" \
                                           "At prompt 'Enter Password or Pin for \"NSS Certificate DB\":' type password"
                                  ${CERT} -C ${caDbId} -c "ca-cert" -i PEM.csr -o ./cert.pem -v 12 -5 -a
                                fi
                              else
                                ShowStep "openssl" \
                                         "" \
                                         "At prompt 'Enter pass phrase for /store/bnz/cacertdb/private/cakey.pem:' type password"
                                ${SSL} ca -policy policy_anything -cert cacert.pem -in PEM.csr -out ./cert.pem
                              fi
                              
                              #-----
                              #----- Import signed certs into NSS DB
                              #-----
                              ShowChapter "Import signed certs into NSS DB"
                              if [[ ${flagUseCertutil} -eq 1 ]]; then
                                if [[ ${flagUsePem} -eq 1 ]]; then
                                  ShowStep "Import PEM server cert"
                                  ${CERT} -A ${serverDbId} -n "server-cert" -i cert.pem   -t Pu -a
                              
                                  ShowStep "mport PEM CA cert"
                                  ${CERT} -A ${serverDbId} -n "ca-cert"     -i cacert.pem -t CT -a
                                fi
                                if [[ ${flagUseDer} -eq 1 ]]; then
                                  ShowStep "Import DER server cert"
                                  ${CERT} -A ${serverDbId} -n "server-cert" -i cert.der   -t Pu
                              
                                  ShowStep "mport DER CA cert"
                                  ${CERT} -A ${serverDbId} -n "ca-cert"     -i cacert.der -t CT
                                fi
                              
                                ShowStep "List all certificates"
                                echo ""|${CERT} -L ${serverDbId}
                              
                                ShowStep "List the conetnst of server certificate"
                                echo ""|${CERT} -L ${serverDbId} -n "server-cert"
                              
                                ShowStep "List the contents of CA certificate"
                                echo ""|${CERT} -L ${serverDbId} -n "ca-cert"
                              else
                                ${SSL} pkcs12 -export -in cert.pem -inkey privkey.pem -certfile cacert.pem -name "MY CERTIFICATE" -out mycert.p12
                                ${PK12} -i mycert.p12 ${serverDbId} -v
                              fi
                              
                              #-----
                              #----- Enable SSl
                              #-----
                              ShowChapter "Enable SSl"
                              echo "Total ciphers allowed: $( dsconf get-server-prop -D "cn=Directory Manager" -h wgtsinf01 -p 389 -c ssl-supported-ciphers|wc -l)"
                              dsconf set-server-prop -D "cn=Directory Manager" -h wgtsinf01 -p 389  ssl-cipher-family:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_DHE_RSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_DHE_DSS_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_ECDH_RSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_RSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ssl-cipher-family:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_ECDHE_RSA_WITH_RC4_128_SHA ssl-cipher-family:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_DHE_DSS_WITH_RC4_128_SHA ssl-cipher-family:TLS_DHE_RSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_DHE_DSS_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_ECDH_RSA_WITH_RC4_128_SHA ssl-cipher-family:TLS_ECDH_RSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_ECDH_ECDSA_WITH_RC4_128_SHA ssl-cipher-family:TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA ssl-cipher-family:SSL_RSA_WITH_RC4_128_MD5 ssl-cipher-family:SSL_RSA_WITH_RC4_128_SHA ssl-cipher-family:TLS_RSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:SSL_RSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:SSL_DHE_RSA_WITH_DES_CBC_SHA ssl-cipher-family:SSL_DHE_DSS_WITH_DES_CBC_SHA ssl-cipher-family:SSL_RSA_FIPS_WITH_DES_CBC_SHA ssl-cipher-family:SSL_RSA_WITH_DES_CBC_SHA ssl-cipher-family:TLS_RSA_EXPORT1024_WITH_RC4_56_SHA ssl-cipher-family:TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA ssl-cipher-family:SSL_RSA_EXPORT_WITH_RC4_40_MD5 ssl-cipher-family:SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 ssl-cipher-family:TLS_ECDHE_ECDSA_WITH_NULL_SHA ssl-cipher-family:TLS_ECDHE_RSA_WITH_NULL_SHA ssl-cipher-family:TLS_ECDH_RSA_WITH_NULL_SHA ssl-cipher-family:TLS_ECDH_ECDSA_WITH_NULL_SHA ssl-cipher-family:SSL_RSA_WITH_NULL_SHA ssl-cipher-family:SSL_RSA_WITH_NULL_MD5 ssl-cipher-family:SSL_CK_RC4_128_WITH_MD5 ssl-cipher-family:SSL_CK_RC2_128_CBC_WITH_MD5 ssl-cipher-family:SSL_CK_DES_192_EDE3_CBC_WITH_MD5 ssl-cipher-family:SSL_CK_DES_64_CBC_WITH_MD5 ssl-cipher-family:SSL_CK_RC4_128_EXPORT40_WITH_MD5 ssl-cipher-family:SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
                              dsadm restart ${serverRoot} 2>/dev/null
                              This drawing shows how the computers are connected. This subnet is isolated from other subnets and is used solely for testings.
                              +---------+  +---------+  +---------+  +---------+
                              |wgtsinf01|  |wgls01   |  |wgls02   |  |wgls03   |
                              |Solaris9 |  |Solaris10|  |Solaris9 |  |Solaris8 |
                              |DSEE6.1  |  |         |  |         |  |         |
                              +---------+  +---------+  +---------+  +---------+
                                  |.50         |.11         |.12         |.13
                                  |            |            |            |
                              ================================================== 10.64.47.x/24 (Test subnet)
                              Cheers,
                              Andreas
                              • 12. Re: LDAP client with TLS
                                807573
                                Hi,

                                this is a nice script, doing all necessary stuff. Also if it were a certificate error, there should be other error messages.. I don't understand why the client should close the connection either. If there is really no error message in your clients syslog, while doing LDAPS queries, then I dont know what to do next either.
                                Is your Sol10 system patched properly? For me your configuration looks fine. What I really can not understand: How can you log into the system, while the LDAP configuration is not working? How can the system know the user login name and password? The system can not make an unencrypted query when tls:simple is set up..

                                -David
                                • 13. Re: LDAP client with TLS
                                  807573
                                  Hello David,

                                  A) How can you log into the system, while the LDAP configuration is not working?
                                  One of my previous posts was a list of all configurations which are working. Below I'm including a copy of this lis. I have few configurations working without any problems: NONE, SIMPLE, SASL/DIGEST-MD5. The problem is only when using TLS:SIMPLE or TLS:SASL/DIGEST-MD5.
                                  #------------------------------------------------------------------------------
                                  # Working configurations:
                                  #                                                                ldapsearch
                                  #                             Auth            Channel login sudo DS  Native Open
                                  #       LDAP connectivity withouth proxy
                                  #               Solaris 10 => simple          clear   yes   yes  yes yes    yes
                                  #                             sasl/digest-md5 clear   yes   yes  yes yes    no
                                  #                             simple          TLS     yes   no   no  no     yes
                                  #                             simple          tls     no    no   no  no     no
                                  #               Solaris 9  => simple          clear   yes   yes  yes yes    yes
                                  #                             sasl/digest-md5 clear   yes   yes  yes        no
                                  #                             simple          TLS     no    n/a  no  no     yes
                                  #                             sasl/digest-md5 tls     no    no   no  no     no
                                  #               Solaris 8  => simple          clear   yes   yes  yes n/a    yes
                                  #                             sasl/digest-md5 clear   yes   yes  yes n/a    no
                                  #                             simple          tls     no    no   no  no     no
                                  #                             sasl/digest-md5 tls     no    no   no  no     no
                                  #       LDAP connectivity with proxy
                                  #               Solaris 10 => simple          clear   yes   yes  yes yes    yes
                                  #                             sasl/digest-md5 clear   no    no   no  yes    no
                                  #                             simple          tls     no    no   no  no     no
                                  #                             sasl/digest-md5 tls     no    no   no  no     no
                                  #               Solaris 9  => simple          clear   yes   yes  yes yes    yes
                                  #                             sasl/digest-md5 clear   no    no   no  yes    no
                                  #                             simple          tls     no    no   no  no     no
                                  #                             sasl/digest-md5 tls     no    no   no  no     no
                                  #               Solaris 8  => simple          clear   yes   yes  yes yes    yes
                                  #                             sasl/digest-md5 clear   no    no   no  n/a    no
                                  #                             simple          tls     no    no   no  no     no
                                  #                             sasl/digest-md5 tls     no    no   no  no     no
                                  #-------------------------------------------------------------------------------
                                  B) How can the system know the user login name and password?
                                  I suppose the answer is in my pam.conf file. Also, for my surprise, the same pam.conf does not work with all versions of Solaris because Solaris 10 needs one more entry to authenticate users. I lost two weeks to figure out why my Solaris 9 and 8 were working and not Solaris 10.

                                  C) The system can not make an unencrypted query when tls:simple is set up
                                  Is this a statement or a question? Talking about this particular topic, I found a blog (http://blogs.sun.com/baban/entry/steps_to_setup_ssl_using) page from a guy that works with Sun stating that the ldapcachemgr always try to connect to the server into port 389. If the non-secure port (389 as default) is turned off, the client NEVER will never connect. BTW, this was the source for my script above ;)

                                  I'm stuck right now trying to put this ?@#$^%$# DS to work with TLS. To be honest, the general documentation about this particular topic (LDAP client connect) is so poor that I'm very inclined to write a very long document about all my experiences. But, right now, I need to finish that TLS think. I'm absolutely sure that the problem is a comma (,) or an underline (_) that I missed somewhere .. :(

                                  If you have any more ideas, please share with me.

                                  Cheers,
                                  Andreas
                                  • 14. Re: LDAP client with TLS
                                    807573
                                    Steve

                                    I have no idea if this can help but...
                                    <<<<< OpenLDAP client configuration >>>>>
                                    timelimit       30
                                    bind_timelimit  30
                                    idle_timelimit  30
                                    base            dc=nz,dc=thenational,dc=com
                                    scope           one
                                    ldap_version    3
                                    sasl_mech       SIMPLE
                                    tls_cacertdir   /var/ldap
                                    tls_checkpeer   yes
                                    tls_certificate /var/ldap/cacert.pem
                                    tls_reqcert     never
                                    tls_cacert      /var/ldap/cacert.pem
                                    ssl             start_ssl
                                    uri ldaps://wgtsinf01.nz.thenational.com:636 ldaps://wgpsinf01.nz.thenational.com:636 ldaps://akpsinf01.nz.thenational.com:636
                                    
                                    ________________________________________________
                                    [SunOS 5.9/bash] root@wgls02:/root
                                    # /var/Sun/mps/shared/bin/ldapsearch -h wgtsinf01.nz.thenational.com -p 636  -Z -b "" -s base -P /var/ldap -vvv "(objectclass=*)"
                                    ldapsearch: started Thu Aug 16 15:58:05 2007
                                    
                                    LDAP Library Information -
                                        Highest supported protocol version: 3
                                        LDAP API revision:                  2005
                                        API vendor name:                    Sun Microsystems Inc.
                                        Vendor-specific version:            5.11
                                        LDAP API Extensions:
                                            SERVER_SIDE_SORT (revision 1)
                                            VIRTUAL_LIST_VIEW (revision 1)
                                            PERSISTENT_SEARCH (revision 1)
                                            PROXY_AUTHORIZATION (revision 1)
                                            X_LDERRNO (revision 1)
                                            X_MEMCACHE (revision 1)
                                            X_IO_FUNCTIONS (revision 1)
                                            X_EXTIO_FUNCTIONS (revision 1)
                                            X_DNS_FUNCTIONS (revision 1)
                                            X_MEMALLOC_FUNCTIONS (revision 1)
                                            X_THREAD_FUNCTIONS (revision 1)
                                            X_EXTHREAD_FUNCTIONS (revision 1)
                                            X_GETLANGVALUES (revision 1)
                                            X_CLIENT_SIDE_SORT (revision 1)
                                            X_URL_FUNCTIONS (revision 1)
                                            X_FILTER_FUNCTIONS (revision 1)
                                    
                                    ldap_init( wgtsinf01.nz.thenational.com, 636 )
                                    ldaptool_getcertpath -- /var/ldap
                                    ldaptool_getkeypath -- /var/ldap
                                    ldaptool_getdonglefilename -- (null)
                                    filter pattern: (objectclass=*)
                                    returning: ALL
                                    filter is: (objectclass=*)
                                    ldap_search: Can't contact LDAP server
                                            SSL error -8101 (Certificate type not approved for application.)
                                    Seems that, for some reason, the DS ldapsearch version is not accepting the certificate. OpenLDAP ldapsearch is working:
                                    ________________________________________________
                                    [SunOS 5.9/bash] root@wgls02:/root
                                    # /usr/local/bin/ldapsearch -x -H ldaps://wgtsinf01.nz.thenational.com:636 -b "" -s base -LLL -Z "(objectclass=*)"
                                    ldap_start_tls: Operations error (1)
                                            additional info: SSL connection already established.
                                    dn:
                                    objectClass: top
                                    namingContexts: dc=nz,dc=thenational,dc=com
                                    supportedExtension: 2.16.840.1.113730.3.5.7
                                    supportedExtension: 2.16.840.1.113730.3.5.8
                                    supportedExtension: 1.3.6.1.4.1.4203.1.11.1
                                    ...
                                    The warning message is caused by using -Z when there is already an uri ldaps:... in the configuration file. I forced -Z to ensure that OpenLDAP ldapsearch is really using the TLS entry from the configuration file.

                                    Any ideas?

                                    Cheers,
                                    Andreas
                                    1 2 3 Previous Next