Can't use EXTERNAL authentication after enabling TLS in ldap-2.4

Solution 1:

Without access to the running config, you'll have to stop slapd and edit the configuration offline.

  1. stop slapd: service slapd stop
  2. dump the config database to a text file: slapcat -F /etc/ldap/slapd.d -b cn=config -l config.ldif
  3. move the existing config database out of the way: mv /etc/ldap/slapd.d{,.old}
  4. make a new, empty config database:

    mkdir /etc/ldap/slapd.d chown --reference=/etc/ldap/slapd.d.old /etc/ldap/slapd.d chmod --reference=/etc/ldap/slapd.d.old /etc/ldap/slapd.d

  5. edit the dumped config.ldif to remove your olcSecurity setting (or add olcRootDN and olcRootPW to cn=config, or any other changes you like)
  6. load the edited LDIF into the new empty database: slapadd -F /etc/ldap/slapd.d -b cn=config -l config.ldif

(The above assumes your configuration lives at /etc/ldap/slapd.d, which is the default in Debian and Ubuntu.)

Note that slapadd of a complete LDIF should always be done into an empty database; so if you make a mistake and slapadd fails, make sure to clear out the partial database before trying again.

You can find more information in the OpenLDAP Admin Guide as well as the relevant man pages.

Solution 2:

Looking into the code: on the server side, in servers/slapd/daemon.c, the authid for EXTERNAL is set up using the uid and gid shortly after the incoming connection is accept()ed. Later on, in servers/slapd/connection.c, if TLS is active, it overwrites that with the name from the client's certificate. Since you aren't providing a client certificate, at this point the authid gets overwritten with NULL, making EXTERNAL not available.

In short, if TLS is active then the uid+gid authid is not used. Depending on your perspective, this could be considered a bug; ideally it would fall back to the peercred ID.

That said, TLS on ldapi is really not necessary as the local socket already provides total privacy; so you could set olcSecurity just on your own database, leaving it not set for the frontend and cn=config (see e.g. this post), or you could use ssf= instead of tls= and set olcLocalSSF appropriately. Or you could use a different DN as the manager for cn=config, in order to not depend on the peercred feature.

Tags:

Openldap

Sasl