Can't use Bind DLZ through LDAPS SSL

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Can't use Bind DLZ through LDAPS SSL

Dario García Díaz-Miguel
Hi there,

I really don't know If this is the correct place to ask about Bind DLZ, but I'm afraid that I could not have any responses from the BIND DLZ mail list and, since this seems to be an "official" plugin and it's compiled on the bind9 package from the SuSE15 SP2 repository I will try to ask it over here.
I've deployed an OpenLDAP using the security options recommended by my cybersecurity team:

- olcSecurity: ssf=256
- olcLocalSSF: 256
- olcRequires: authc
- olcDisallow: bind_anon
- olcTLSVerifyClient: try

So essentially right now is required to use certificates and LDAPS in order to bind to the OpenLDAP server. Otherwise a Confidential error will appear since TLS SSL Handshake is not possible. Well, this is the expected behavior.
All the software of the environment works flawlessly using the SSL Certificates through LDAPS SSL except Bind DLZ. I could not find the way to configure it to use SSL.

The Bind DLZ used is the one compiled with the BIND 9.16.6 (Stable Release) from the SUSE 15 SP2 repository.

Could anybody help me?

Thank you so much.
Regards.



Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com









P Please consider the environment before printing this e-mail.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Can't use Bind DLZ through LDAPS SSL

Ted Mittelstaedt
Instead of beating your head against DLZ can't you simply put the DLZ
query into stunnel and connect to the openldap server that way?

Ted

On 2/11/2021 10:39 PM, Dario García Díaz-Miguel wrote:

> Hi there,
>
> I really don't know If this is the correct place to ask about Bind DLZ, but I'm afraid that I could not have any responses from the BIND DLZ mail list and, since this seems to be an "official" plugin and it's compiled on the bind9 package from the SuSE15 SP2 repository I will try to ask it over here.
> I've deployed an OpenLDAP using the security options recommended by my cybersecurity team:
>
> - olcSecurity: ssf=256
> - olcLocalSSF: 256
> - olcRequires: authc
> - olcDisallow: bind_anon
> - olcTLSVerifyClient: try
>
> So essentially right now is required to use certificates and LDAPS in order to bind to the OpenLDAP server. Otherwise a Confidential error will appear since TLS SSL Handshake is not possible. Well, this is the expected behavior.
> All the software of the environment works flawlessly using the SSL Certificates through LDAPS SSL except Bind DLZ. I could not find the way to configure it to use SSL.
>
> The Bind DLZ used is the one compiled with the BIND 9.16.6 (Stable Release) from the SUSE 15 SP2 repository.
>
> Could anybody help me?
>
> Thank you so much.
> Regards.
>
>
>
> Dario Garcia
> Díaz-Miguel
> GGCS-SES Unit
> GGCS SKMF Infrastructure Division
> GMV
> C\ de Isaac Newton, 11
> 28760, Tres Cantos, Madrid
> España
> +34 918 07 21 00
> +34 918 07 21 99
> www.gmv.com
>
>
>
>
>
>
>
>
>
> P Please consider the environment before printing this e-mail.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: Can't use Bind DLZ through LDAPS SSL

Dario García Díaz-Miguel
In reply to this post by Dario García Díaz-Miguel
Hi Ted,

Thank you for your answer.
Both servers (OpenLDAP and BIND DLZ) are on the same machine.

LDAPI:/// socket has been configured to not require SSL with olcLocalSSF

If BIND DLZ is not supporting LDAPS, does it support any way to bind against LDAP using LDAPI?

I've tried to use the ldapi:/// as well as the ldaps:// on the queries and it does not work.
I also has tried adding the port to the hostnames on the connection parameters from named.conf and it also does not work.

About stunnel, I'm not sure since I'm not familiar with it and including a new software would suppose an approval request explaining good enough reasons to use it.

Thank you so much.
Regards.


Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com











-----Mensaje original-----
Date: Fri, 12 Feb 2021 01:29:17 -0800
From: Ted Mittelstaedt <[hidden email]>
To: [hidden email]
Subject: Re: Can't use Bind DLZ through LDAPS SSL
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Instead of beating your head against DLZ can't you simply put the DLZ
query into stunnel and connect to the openldap server that way?

Ted

On 2/11/2021 10:39 PM, Dario Garc?a D?az-Miguel wrote:

> Hi there,
>
> I really don't know If this is the correct place to ask about Bind DLZ, but I'm afraid that I could not have any responses from the BIND DLZ mail list and, since this seems to be an "official" plugin and it's compiled on the bind9 package from the SuSE15 SP2 repository I will try to ask it over here.
> I've deployed an OpenLDAP using the security options recommended by my cybersecurity team:
>
> - olcSecurity: ssf=256
> - olcLocalSSF: 256
> - olcRequires: authc
> - olcDisallow: bind_anon
> - olcTLSVerifyClient: try
>
> So essentially right now is required to use certificates and LDAPS in order to bind to the OpenLDAP server. Otherwise a Confidential error will appear since TLS SSL Handshake is not possible. Well, this is the expected behavior.
> All the software of the environment works flawlessly using the SSL Certificates through LDAPS SSL except Bind DLZ. I could not find the way to configure it to use SSL.
>
> The Bind DLZ used is the one compiled with the BIND 9.16.6 (Stable Release) from the SUSE 15 SP2 repository.
>
> Could anybody help me?
>
> Thank you so much.
> Regards.
>
>
>
> Dario Garcia
> D?az-Miguel
> GGCS-SES Unit
> GGCS SKMF Infrastructure Division
> GMV
> C\ de Isaac Newton, 11
> 28760, Tres Cantos, Madrid
> Espa?a
> +34 918 07 21 00
> +34 918 07 21 99
> http://www.gmv.com

P Please consider the environment before printing this e-mail.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Can't use Bind DLZ through LDAPS SSL

Ted Mittelstaedt
If the programs are both on the same machine and you are using ldapi
with oldlocalSSF then you are NOT using SSL.

For starters on this machine if you simply run a LDAP query with
the command line tools against the OpenLDAP server does it work?
Like ldapsearch -LLL -H ldapi://blardy blardy blar

What is in your slapd.lidf?  Usually there should be a
olcSecurity: ssf=something and this should match the
value you are using in the olclocalSSF   The command line ldap program
should pump out an error message if this mechanism is broken.

If you are not familiar with stunnel you should have looked up what it
was before responding.  It's not going to be applicable here and I
would not have suggested it if I had known both programs were on the
same machine.

Ted

On 2/12/2021 3:15 AM, Dario García Díaz-Miguel wrote:

> Hi Ted,
>
> Thank you for your answer.
> Both servers (OpenLDAP and BIND DLZ) are on the same machine.
>
> LDAPI:/// socket has been configured to not require SSL with olcLocalSSF
>
> If BIND DLZ is not supporting LDAPS, does it support any way to bind against LDAP using LDAPI?
>
> I've tried to use the ldapi:/// as well as the ldaps:// on the queries and it does not work.
> I also has tried adding the port to the hostnames on the connection parameters from named.conf and it also does not work.
>
> About stunnel, I'm not sure since I'm not familiar with it and including a new software would suppose an approval request explaining good enough reasons to use it.
>
> Thank you so much.
> Regards.
>
>
> Dario Garcia
> Díaz-Miguel
> GGCS-SES Unit
> GGCS SKMF Infrastructure Division
> GMV
> C\ de Isaac Newton, 11
> 28760, Tres Cantos, Madrid
> España
> +34 918 07 21 00
> +34 918 07 21 99
> www.gmv.com
>
>
>
>
>
>
>
>
>
>
>
> -----Mensaje original-----
> Date: Fri, 12 Feb 2021 01:29:17 -0800
> From: Ted Mittelstaedt<[hidden email]>
> To: [hidden email]
> Subject: Re: Can't use Bind DLZ through LDAPS SSL
> Message-ID:<[hidden email]>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Instead of beating your head against DLZ can't you simply put the DLZ
> query into stunnel and connect to the openldap server that way?
>
> Ted
>
> On 2/11/2021 10:39 PM, Dario Garc?a D?az-Miguel wrote:
>> Hi there,
>>
>> I really don't know If this is the correct place to ask about Bind DLZ, but I'm afraid that I could not have any responses from the BIND DLZ mail list and, since this seems to be an "official" plugin and it's compiled on the bind9 package from the SuSE15 SP2 repository I will try to ask it over here.
>> I've deployed an OpenLDAP using the security options recommended by my cybersecurity team:
>>
>> - olcSecurity: ssf=256
>> - olcLocalSSF: 256
>> - olcRequires: authc
>> - olcDisallow: bind_anon
>> - olcTLSVerifyClient: try
>>
>> So essentially right now is required to use certificates and LDAPS in order to bind to the OpenLDAP server. Otherwise a Confidential error will appear since TLS SSL Handshake is not possible. Well, this is the expected behavior.
>> All the software of the environment works flawlessly using the SSL Certificates through LDAPS SSL except Bind DLZ. I could not find the way to configure it to use SSL.
>>
>> The Bind DLZ used is the one compiled with the BIND 9.16.6 (Stable Release) from the SUSE 15 SP2 repository.
>>
>> Could anybody help me?
>>
>> Thank you so much.
>> Regards.
>>
>>
>>
>> Dario Garcia
>> D?az-Miguel
>> GGCS-SES Unit
>> GGCS SKMF Infrastructure Division
>> GMV
>> C\ de Isaac Newton, 11
>> 28760, Tres Cantos, Madrid
>> Espa?a
>> +34 918 07 21 00
>> +34 918 07 21 99
>> http://www.gmv.com
>
> P Please consider the environment before printing this e-mail.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: Can't use Bind DLZ through LDAPS SSL

Dario García Díaz-Miguel
In reply to this post by Dario García Díaz-Miguel
Hi Ted,

The values related with the issue configured on the slapd configuration are on my original message:

>
> - olcSecurity: ssf=256
> - olcLocalSSF: 256
> - olcRequires: authc
> - olcDisallow: bind_anon
> - olcTLSVerifyClient: try
>

Exactly, using LDAPI with my olcLocalSSF configuration is not using SSL and that's required due to some implementations.
The problem is that BIND DLZ is NOT using LDAPI nor LDAPS and I don't know how to configure it.

Ldapsearch -H ldapi:/// -D "cn=Administrator,dc=example,dc=com" -W --> works
Ldapsearch -H ldaps://machine1.example.com -D "cn=Administrator,dc=example,dc=com" -W --> works
Ldapsearch -H ldap://machine1.example.com -D "cn=Administrator,dc=example,dc=com" -W --> does not work
Ldapsearch -H ldap://machine1.example.com -D "cn=Administrator,dc=example,dc=com" -W -Z  --> works

This is the expected behavior and not related at all with my original question.

I just asked how should we configure BIND DLZ to use LDAPS (636) or LDAPI instead of LDAP(389), since DLZ queries does not support port specifications.

Thank you so much.
Kind Regards.


-----Mensaje original-----
If the programs are both on the same machine and you are using ldapi
with oldlocalSSF then you are NOT using SSL.

For starters on this machine if you simply run a LDAP query with
the command line tools against the OpenLDAP server does it work?
Like ldapsearch -LLL -H ldapi://blardy blardy blar

What is in your slapd.lidf?  Usually there should be a
olcSecurity: ssf=something and this should match the
value you are using in the olclocalSSF   The command line ldap program
should pump out an error message if this mechanism is broken.

If you are not familiar with stunnel you should have looked up what it
was before responding.  It's not going to be applicable here and I
would not have suggested it if I had known both programs were on the
same machine.

Ted


Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com











De: Dario García Díaz-Miguel
Enviado el: viernes, 12 de febrero de 2021 12:15
Para: [hidden email]
CC: skmf_support <[hidden email]>
Asunto: RE: Can't use Bind DLZ through LDAPS SSL

Hi Ted,

Thank you for your answer.
Both servers (OpenLDAP and BIND DLZ) are on the same machine.

LDAPI:/// socket has been configured to not require SSL with olcLocalSSF

If BIND DLZ is not supporting LDAPS, does it support any way to bind against LDAP using LDAPI?

I've tried to use the ldapi:/// as well as the ldaps:// on the queries and it does not work.
I also has tried adding the port to the hostnames on the connection parameters from named.conf and it also does not work.

About stunnel, I'm not sure since I'm not familiar with it and including a new software would suppose an approval request explaining good enough reasons to use it.

Thank you so much.
Regards.


Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com











-----Mensaje original-----
Date: Fri, 12 Feb 2021 01:29:17 -0800
From: Ted Mittelstaedt <[hidden email]>
To: [hidden email]
Subject: Re: Can't use Bind DLZ through LDAPS SSL
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Instead of beating your head against DLZ can't you simply put the DLZ query into stunnel and connect to the openldap server that way?

Ted

On 2/11/2021 10:39 PM, Dario Garc?a D?az-Miguel wrote:

> Hi there,
>
> I really don't know If this is the correct place to ask about Bind DLZ, but I'm afraid that I could not have any responses from the BIND DLZ mail list and, since this seems to be an "official" plugin and it's compiled on the bind9 package from the SuSE15 SP2 repository I will try to ask it over here.
> I've deployed an OpenLDAP using the security options recommended by my cybersecurity team:
>
> - olcSecurity: ssf=256
> - olcLocalSSF: 256
> - olcRequires: authc
> - olcDisallow: bind_anon
> - olcTLSVerifyClient: try
>
> So essentially right now is required to use certificates and LDAPS in order to bind to the OpenLDAP server. Otherwise a Confidential error will appear since TLS SSL Handshake is not possible. Well, this is the expected behavior.
> All the software of the environment works flawlessly using the SSL Certificates through LDAPS SSL except Bind DLZ. I could not find the way to configure it to use SSL.
>
> The Bind DLZ used is the one compiled with the BIND 9.16.6 (Stable Release) from the SUSE 15 SP2 repository.
>
> Could anybody help me?
>
> Thank you so much.
> Regards.
>
>
>
> Dario Garcia
> D?az-Miguel
> GGCS-SES Unit
> GGCS SKMF Infrastructure Division
> GMV
> C\ de Isaac Newton, 11
> 28760, Tres Cantos, Madrid
> Espa?a
> +34 918 07 21 00
> +34 918 07 21 99
> http://www.gmv.com

P Please consider the environment before printing this e-mail.


P Please consider the environment before printing this e-mail.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Can't use Bind DLZ through LDAPS SSL

Ted Mittelstaedt
That should be impossible.  Bind DLZ is compiled to use the same
openldap libraries that your openldap server is using.  If you configure
the query URL as ldapi then the same thing is being sent to
the libraries that ldapsearch is sending.  That is why you do not have
to do anything special other than change the query string to ldap: or
ldapi: or ldaps: in the dlz config.

Are you using the examples on
http://bind-dlz.dourceforge.net/ldap-_driver.html?

is dlz possibly dynamically linked and can't find the openldap libraries?

Ted


On 2/12/2021 4:09 AM, Dario García Díaz-Miguel wrote:

> Hi Ted,
>
> The values related with the issue configured on the slapd configuration are on my original message:
>
>>
>> - olcSecurity: ssf=256
>> - olcLocalSSF: 256
>> - olcRequires: authc
>> - olcDisallow: bind_anon
>> - olcTLSVerifyClient: try
>>
>
> Exactly, using LDAPI with my olcLocalSSF configuration is not using SSL and that's required due to some implementations.
> The problem is that BIND DLZ is NOT using LDAPI nor LDAPS and I don't know how to configure it.
>
> Ldapsearch -H ldapi:/// -D "cn=Administrator,dc=example,dc=com" -W -->  works
> Ldapsearch -H ldaps://machine1.example.com -D "cn=Administrator,dc=example,dc=com" -W -->  works
> Ldapsearch -H ldap://machine1.example.com -D "cn=Administrator,dc=example,dc=com" -W -->  does not work
> Ldapsearch -H ldap://machine1.example.com -D "cn=Administrator,dc=example,dc=com" -W -Z  -->  works
>
> This is the expected behavior and not related at all with my original question.
>
> I just asked how should we configure BIND DLZ to use LDAPS (636) or LDAPI instead of LDAP(389), since DLZ queries does not support port specifications.
>
> Thank you so much.
> Kind Regards.
>
>
> -----Mensaje original-----
> If the programs are both on the same machine and you are using ldapi
> with oldlocalSSF then you are NOT using SSL.
>
> For starters on this machine if you simply run a LDAP query with
> the command line tools against the OpenLDAP server does it work?
> Like ldapsearch -LLL -H ldapi://blardy blardy blar
>
> What is in your slapd.lidf?  Usually there should be a
> olcSecurity: ssf=something and this should match the
> value you are using in the olclocalSSF   The command line ldap program
> should pump out an error message if this mechanism is broken.
>
> If you are not familiar with stunnel you should have looked up what it
> was before responding.  It's not going to be applicable here and I
> would not have suggested it if I had known both programs were on the
> same machine.
>
> Ted
>
>
> Dario Garcia
> Díaz-Miguel
> GGCS-SES Unit
> GGCS SKMF Infrastructure Division
> GMV
> C\ de Isaac Newton, 11
> 28760, Tres Cantos, Madrid
> España
> +34 918 07 21 00
> +34 918 07 21 99
> www.gmv.com
>
>
>
>
>
>
>
>
>
>
>
> De: Dario García Díaz-Miguel
> Enviado el: viernes, 12 de febrero de 2021 12:15
> Para: [hidden email]
> CC: skmf_support<[hidden email]>
> Asunto: RE: Can't use Bind DLZ through LDAPS SSL
>
> Hi Ted,
>
> Thank you for your answer.
> Both servers (OpenLDAP and BIND DLZ) are on the same machine.
>
> LDAPI:/// socket has been configured to not require SSL with olcLocalSSF
>
> If BIND DLZ is not supporting LDAPS, does it support any way to bind against LDAP using LDAPI?
>
> I've tried to use the ldapi:/// as well as the ldaps:// on the queries and it does not work.
> I also has tried adding the port to the hostnames on the connection parameters from named.conf and it also does not work.
>
> About stunnel, I'm not sure since I'm not familiar with it and including a new software would suppose an approval request explaining good enough reasons to use it.
>
> Thank you so much.
> Regards.
>
>
> Dario Garcia
> Díaz-Miguel
> GGCS-SES Unit
> GGCS SKMF Infrastructure Division
> GMV
> C\ de Isaac Newton, 11
> 28760, Tres Cantos, Madrid
> España
> +34 918 07 21 00
> +34 918 07 21 99
> www.gmv.com
>
>
>
>
>
>
>
>
>
>
>
> -----Mensaje original-----
> Date: Fri, 12 Feb 2021 01:29:17 -0800
> From: Ted Mittelstaedt<[hidden email]>
> To: [hidden email]
> Subject: Re: Can't use Bind DLZ through LDAPS SSL
> Message-ID:<[hidden email]>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Instead of beating your head against DLZ can't you simply put the DLZ query into stunnel and connect to the openldap server that way?
>
> Ted
>
> On 2/11/2021 10:39 PM, Dario Garc?a D?az-Miguel wrote:
>> Hi there,
>>
>> I really don't know If this is the correct place to ask about Bind DLZ, but I'm afraid that I could not have any responses from the BIND DLZ mail list and, since this seems to be an "official" plugin and it's compiled on the bind9 package from the SuSE15 SP2 repository I will try to ask it over here.
>> I've deployed an OpenLDAP using the security options recommended by my cybersecurity team:
>>
>> - olcSecurity: ssf=256
>> - olcLocalSSF: 256
>> - olcRequires: authc
>> - olcDisallow: bind_anon
>> - olcTLSVerifyClient: try
>>
>> So essentially right now is required to use certificates and LDAPS in order to bind to the OpenLDAP server. Otherwise a Confidential error will appear since TLS SSL Handshake is not possible. Well, this is the expected behavior.
>> All the software of the environment works flawlessly using the SSL Certificates through LDAPS SSL except Bind DLZ. I could not find the way to configure it to use SSL.
>>
>> The Bind DLZ used is the one compiled with the BIND 9.16.6 (Stable Release) from the SUSE 15 SP2 repository.
>>
>> Could anybody help me?
>>
>> Thank you so much.
>> Regards.
>>
>>
>>
>> Dario Garcia
>> D?az-Miguel
>> GGCS-SES Unit
>> GGCS SKMF Infrastructure Division
>> GMV
>> C\ de Isaac Newton, 11
>> 28760, Tres Cantos, Madrid
>> Espa?a
>> +34 918 07 21 00
>> +34 918 07 21 99
>> http://www.gmv.com
>
> P Please consider the environment before printing this e-mail.
>
>
> P Please consider the environment before printing this e-mail.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: Can't use Bind DLZ through LDAPS SSL

Dario García Díaz-Miguel
In reply to this post by Dario García Díaz-Miguel
Hi Ted,

Thank you again for your reply, very appreciated.

Yes, I'm using the Bind-DLZ site's examples to build my own configuration:

dlz "ldap zone" {
database "ldap 2
v3 simple {uid=bind/test-machine.example.com,ou=Services,dc=example,dc=com} {secret} localhost
ldap:///dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com???objectclass=dlzZone
ldap:///dlzHostName=\$record\$,dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com?dlzTTL,dlzType,dlzPreference,dlzData,dlzIpAddr?sub?(&(objectclass=dlzAbstractRecord)(!(dlzType=soa)))
ldap:///dlzHostName=@,dlzZoneName=\$zone\$,ou=dns,=dc=example,dc=com?dlzTTL,dlzType,dlzData,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectclass=dlzAbstractRecord)(dlzType=soa))
ldap:///dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com?dlzTTL,dlzType,dlzHostname,dlzPreference,dlzData,dlzIpAddr,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectClass=dlzAbstractRecord)(!(dlzType=soa)))
ldap:///dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com??sub?(&(objectclass=dlzXFR)(dlzIPAddr=\$client\$))";
};

This configuration works flawlessly without the options olcLocalSSF=256 and olcSecurity ssf=256.
Once activated this options, named.service stops working and will not start.
So, I tried to use ldaps:

dlz "ldap zone" {
database "ldap 2
v3 simple {uid=bind/test-machine.example.com,ou=Services,dc=example,dc=com} {secret} localhost
ldaps:///dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com???objectclass=dlzZone
ldaps:///dlzHostName=\$record\$,dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com?dlzTTL,dlzType,dlzPreference,dlzData,dlzIpAddr?sub?(&(objectclass=dlzAbstractRecord)(!(dlzType=soa)))
ldaps:///dlzHostName=@,dlzZoneName=\$zone\$,ou=dns,=dc=example,dc=com?dlzTTL,dlzType,dlzData,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectclass=dlzAbstractRecord)(dlzType=soa))
ldaps:///dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com?dlzTTL,dlzType,dlzHostname,dlzPreference,dlzData,dlzIpAddr,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectClass=dlzAbstractRecord)(!(dlzType=soa)))
ldaps:///dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com??sub?(&(objectclass=dlzXFR)(dlzIPAddr=\$client\$))";
};

The logs shows the following errors:

allow zone transfer query must not specify a port
SDLZ driver failed to load
DLZ driver failed to load
Loading configuration: failure
Exiting (due to fatal error)
Failed to start Berkeley Internet Name Domain (DNS)


So I tried to use ldapi:

dlz "ldap zone" {
database "ldap 2
v3 simple {uid=bind/test-machine.example.com,ou=Services,dc=example,dc=com} {secret} localhost
ldapi:///dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com???objectclass=dlzZone
ldapi:///dlzHostName=\$record\$,dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com?dlzTTL,dlzType,dlzPreference,dlzData,dlzIpAddr?sub?(&(objectclass=dlzAbstractRecord)(!(dlzType=soa)))
ldapi:///dlzHostName=@,dlzZoneName=\$zone\$,ou=dns,=dc=example,dc=com?dlzTTL,dlzType,dlzData,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectclass=dlzAbstractRecord)(dlzType=soa))
ldapi:///dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com?dlzTTL,dlzType,dlzHostname,dlzPreference,dlzData,dlzIpAddr,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectClass=dlzAbstractRecord)(!(dlzType=soa)))
ldapi:///dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com??sub?(&(objectclass=dlzXFR)(dlzIPAddr=\$client\$))";
};

Same result on logs.


I think that OpenLDAP is correctly retrieved by bind.

# ldd /usr/sbin/named

[...]
Libldap_r-2.4.so.2 => /usr/lib64/libldap_r-2.4.so.2 (0x00007fc6d482d000)
[...]

And the same for all the libraries like libssl, libgssapi_krb5... there are not any "not found" libraries.
I suppose that in case of any problem with libldap librarie, named could not connect to slapd without the olcSecurity SSF options either.



Thank you so much for your help.
Regards.























Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com










-----Mensaje original-----
That should be impossible.  Bind DLZ is compiled to use the same
openldap libraries that your openldap server is using.  If you configure
the query URL as ldapi then the same thing is being sent to
the libraries that ldapsearch is sending.  That is why you do not have
to do anything special other than change the query string to ldap: or
ldapi: or ldaps: in the dlz config.

Are you using the examples on
http://bind-dlz.dourceforge.net/ldap-_driver.html?

is dlz possibly dynamically linked and can't find the openldap libraries?

Ted



De: Dario García Díaz-Miguel
Enviado el: viernes, 12 de febrero de 2021 13:10
Para: [hidden email]
CC: skmf_support <[hidden email]>
Asunto: RE: Can't use Bind DLZ through LDAPS SSL

Hi Ted,

The values related with the issue configured on the slapd configuration are on my original message:

>
> - olcSecurity: ssf=256
> - olcLocalSSF: 256
> - olcRequires: authc
> - olcDisallow: bind_anon
> - olcTLSVerifyClient: try
>

Exactly, using LDAPI with my olcLocalSSF configuration is not using SSL and that's required due to some implementations.
The problem is that BIND DLZ is NOT using LDAPI nor LDAPS and I don't know how to configure it.

Ldapsearch -H ldapi:/// -D "cn=Administrator,dc=example,dc=com" -W --> works Ldapsearch -H ldaps://machine1.example.com -D "cn=Administrator,dc=example,dc=com" -W --> works Ldapsearch -H ldap://machine1.example.com -D "cn=Administrator,dc=example,dc=com" -W --> does not work Ldapsearch -H ldap://machine1.example.com -D "cn=Administrator,dc=example,dc=com" -W -Z  --> works

This is the expected behavior and not related at all with my original question.

I just asked how should we configure BIND DLZ to use LDAPS (636) or LDAPI instead of LDAP(389), since DLZ queries does not support port specifications.

Thank you so much.
Kind Regards.


-----Mensaje original-----
If the programs are both on the same machine and you are using ldapi with oldlocalSSF then you are NOT using SSL.

For starters on this machine if you simply run a LDAP query with the command line tools against the OpenLDAP server does it work?
Like ldapsearch -LLL -H ldapi://blardy blardy blar

What is in your slapd.lidf?  Usually there should be a
olcSecurity: ssf=something and this should match the
value you are using in the olclocalSSF   The command line ldap program
should pump out an error message if this mechanism is broken.

If you are not familiar with stunnel you should have looked up what it was before responding.  It's not going to be applicable here and I would not have suggested it if I had known both programs were on the same machine.

Ted


Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com











De: Dario García Díaz-Miguel
Enviado el: viernes, 12 de febrero de 2021 12:15
Para: [hidden email]
CC: skmf_support <[hidden email]>
Asunto: RE: Can't use Bind DLZ through LDAPS SSL

Hi Ted,

Thank you for your answer.
Both servers (OpenLDAP and BIND DLZ) are on the same machine.

LDAPI:/// socket has been configured to not require SSL with olcLocalSSF

If BIND DLZ is not supporting LDAPS, does it support any way to bind against LDAP using LDAPI?

I've tried to use the ldapi:/// as well as the ldaps:// on the queries and it does not work.
I also has tried adding the port to the hostnames on the connection parameters from named.conf and it also does not work.

About stunnel, I'm not sure since I'm not familiar with it and including a new software would suppose an approval request explaining good enough reasons to use it.

Thank you so much.
Regards.


Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com











-----Mensaje original-----
Date: Fri, 12 Feb 2021 01:29:17 -0800
From: Ted Mittelstaedt <[hidden email]>
To: [hidden email]
Subject: Re: Can't use Bind DLZ through LDAPS SSL
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Instead of beating your head against DLZ can't you simply put the DLZ query into stunnel and connect to the openldap server that way?

Ted

On 2/11/2021 10:39 PM, Dario Garc?a D?az-Miguel wrote:

> Hi there,
>
> I really don't know If this is the correct place to ask about Bind DLZ, but I'm afraid that I could not have any responses from the BIND DLZ mail list and, since this seems to be an "official" plugin and it's compiled on the bind9 package from the SuSE15 SP2 repository I will try to ask it over here.
> I've deployed an OpenLDAP using the security options recommended by my cybersecurity team:
>
> - olcSecurity: ssf=256
> - olcLocalSSF: 256
> - olcRequires: authc
> - olcDisallow: bind_anon
> - olcTLSVerifyClient: try
>
> So essentially right now is required to use certificates and LDAPS in order to bind to the OpenLDAP server. Otherwise a Confidential error will appear since TLS SSL Handshake is not possible. Well, this is the expected behavior.
> All the software of the environment works flawlessly using the SSL Certificates through LDAPS SSL except Bind DLZ. I could not find the way to configure it to use SSL.
>
> The Bind DLZ used is the one compiled with the BIND 9.16.6 (Stable Release) from the SUSE 15 SP2 repository.
>
> Could anybody help me?
>
> Thank you so much.
> Regards.
>
>
>
> Dario Garcia
> D?az-Miguel
> GGCS-SES Unit
> GGCS SKMF Infrastructure Division
> GMV
> C\ de Isaac Newton, 11
> 28760, Tres Cantos, Madrid
> Espa?a
> +34 918 07 21 00
> +34 918 07 21 99
> http://www.gmv.com

P Please consider the environment before printing this e-mail.


P Please consider the environment before printing this e-mail.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: Can't use Bind DLZ through LDAPS SSL

Bind-Users forum mailing list
In reply to this post by Dario García Díaz-Miguel
Hi everybody,

Since I'm a little bit desperate with this issue, and after asking this on reddit (r/sysadmin) and serverfault with low or none responses, I tried some configurations with the ideas an user gave me with still no luck:

- Using ldap:// and socket path translation using the python library urllib.parse:

dlz "ldap zone" {
database "ldap 2
v3 simple {uid=bind/test-machine.example.com,ou=Services,dc=example,dc=com} {secret} 192.168.1.15
ldap://%2Frun%2Fslapd%2Fldapi/dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com???objectclass=dlzZone
ldap://%2Frun%2Fslapd%2Fldapi/dlzHostName=\$record\$,dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com?dlzTTL,dlzType,dlzPreference,dlzData,dlzIpAddr?sub?(&(objectclass=dlzAbstractRecord)(!(dlzType=soa)))
ldap://%2Frun%2Fslapd%2Fldapi/dlzHostName=@,dlzZoneName=\$zone\$,ou=dns,=dc=example,dc=com?dlzTTL,dlzType,dlzData,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectclass=dlzAbstractRecord)(dlzType=soa))
ldap://%2Frun%2Fslapd%2Fldapi/dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com?dlzTTL,dlzType,dlzHostname,dlzPreference,dlzData,dlzIpAddr,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectClass=dlzAbstractRecord)(!(dlzType=soa)))
ldap://%2Frun%2Fslapd%2Fldapi/dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com??sub?(&(objectclass=dlzXFR)(dlzIPAddr=\$client\$))";
};

- Using ldapi:// and socket path translation using the python code:

dlz "ldap zone" {
database "ldap 2
v3 simple {uid=bind/test-machine.example.com,ou=Services,dc=example,dc=com} {secret} 192.168.1.15
ldapi://%2Frun%2Fslapd%2Fldapi/dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com???objectclass=dlzZone
ldapi://%2Frun%2Fslapd%2Fldapi/dlzHostName=\$record\$,dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com?dlzTTL,dlzType,dlzPreference,dlzData,dlzIpAddr?sub?(&(objectclass=dlzAbstractRecord)(!(dlzType=soa)))
ldapi://%2Frun%2Fslapd%2Fldapi/dlzHostName=@,dlzZoneName=\$zone\$,ou=dns,=dc=example,dc=com?dlzTTL,dlzType,dlzData,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectclass=dlzAbstractRecord)(dlzType=soa))
ldapi://%2Frun%2Fslapd%2Fldapi/dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com?dlzTTL,dlzType,dlzHostname,dlzPreference,dlzData,dlzIpAddr,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectClass=dlzAbstractRecord)(!(dlzType=soa)))
ldapi://%2Frun%2Fslapd%2Fldapi/dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com??sub?(&(objectclass=dlzXFR)(dlzIPAddr=\$client\$))";
};

- Using ldaps:// and FQDN:

dlz "ldap zone" {
database "ldap 2
v3 simple {uid=bind/test-machine.example.com,ou=Services,dc=example,dc=com} {secret} 192.168.1.15
ldaps://test-machine.example.com/dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com???objectclass=dlzZone
ldaps://test-machine.example.com/dlzHostName=\$record\$,dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com?dlzTTL,dlzType,dlzPreference,dlzData,dlzIpAddr?sub?(&(objectclass=dlzAbstractRecord)(!(dlzType=soa)))
ldaps://test-machine.example.com/dlzHostName=@,dlzZoneName=\$zone\$,ou=dns,=dc=example,dc=com?dlzTTL,dlzType,dlzData,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectclass=dlzAbstractRecord)(dlzType=soa))
ldaps://test-machine.example.com/dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com?dlzTTL,dlzType,dlzHostname,dlzPreference,dlzData,dlzIpAddr,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectClass=dlzAbstractRecord)(!(dlzType=soa)))
ldaps://test-machine.example.com/dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com??sub?(&(objectclass=dlzXFR)(dlzIPAddr=\$client\$))";
};

- Using ldaps:// and FQDN and FQDN as connection parameter:

dlz "ldap zone" {
database "ldap 2
v3 simple {uid=bind/test-machine.example.com,ou=Services,dc=example,dc=com} {secret} test-machine.example.com
ldaps://test-machine.example.com/dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com???objectclass=dlzZone
ldaps://test-machine.example.com/dlzHostName=\$record\$,dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com?dlzTTL,dlzType,dlzPreference,dlzData,dlzIpAddr?sub?(&(objectclass=dlzAbstractRecord)(!(dlzType=soa)))
ldaps://test-machine.example.com/dlzHostName=@,dlzZoneName=\$zone\$,ou=dns,=dc=example,dc=com?dlzTTL,dlzType,dlzData,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectclass=dlzAbstractRecord)(dlzType=soa))
ldaps://test-machine.example.com/dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com?dlzTTL,dlzType,dlzHostname,dlzPreference,dlzData,dlzIpAddr,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectClass=dlzAbstractRecord)(!(dlzType=soa)))
ldaps://test-machine.example.com/dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com??sub?(&(objectclass=dlzXFR)(dlzIPAddr=\$client\$))";
};


My ldap.conf:

TLS_CACERT            /etc/openldap/certs/CA.cert.pem
TLS_CACERT_DIR        /etc/openldap/certs/
TLS_CERT              /etc/openldap/certs/test-machine.example.com.cert.pem
TLS_KEY               /etc/openldap/certs/test-machine.example.com.key.pem
TLS_REQCERT           try
BASE                  dc=example,dc=com
SASL_MECH            EXTERNAL
SASL_REALM            EXAMPLE.COM
URI                   ldaps://test-machine.example.com:636


Please, some help would be totally appreciated.

Kind Regards.


Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com











-----Mensaje original-----
De: Dario García Díaz-Miguel
Enviado el: lunes, 15 de febrero de 2021 8:07
Para: '[hidden email]' <[hidden email]>
CC: skmf_support <[hidden email]>
Asunto: RE: Can't use Bind DLZ through LDAPS SSL

Hi Ted,

Thank you again for your reply, very appreciated.

Yes, I'm using the Bind-DLZ site's examples to build my own configuration:

dlz "ldap zone" {
database "ldap 2
v3 simple {uid=bind/test-machine.example.com,ou=Services,dc=example,dc=com} {secret} localhost ldap:///dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com???objectclass=dlzZone
ldap:///dlzHostName=\$record\$,dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com?dlzTTL,dlzType,dlzPreference,dlzData,dlzIpAddr?sub?(&(objectclass=dlzAbstractRecord)(!(dlzType=soa)))
ldap:///dlzHostName=@,dlzZoneName=\$zone\$,ou=dns,=dc=example,dc=com?dlzTTL,dlzType,dlzData,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectclass=dlzAbstractRecord)(dlzType=soa))
ldap:///dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com?dlzTTL,dlzType,dlzHostname,dlzPreference,dlzData,dlzIpAddr,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectClass=dlzAbstractRecord)(!(dlzType=soa)))
ldap:///dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com??sub?(&(objectclass=dlzXFR)(dlzIPAddr=\$client\$))";
};

This configuration works flawlessly without the options olcLocalSSF=256 and olcSecurity ssf=256.
Once activated this options, named.service stops working and will not start.
So, I tried to use ldaps:

dlz "ldap zone" {
database "ldap 2
v3 simple {uid=bind/test-machine.example.com,ou=Services,dc=example,dc=com} {secret} localhost ldaps:///dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com???objectclass=dlzZone
ldaps:///dlzHostName=\$record\$,dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com?dlzTTL,dlzType,dlzPreference,dlzData,dlzIpAddr?sub?(&(objectclass=dlzAbstractRecord)(!(dlzType=soa)))
ldaps:///dlzHostName=@,dlzZoneName=\$zone\$,ou=dns,=dc=example,dc=com?dlzTTL,dlzType,dlzData,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectclass=dlzAbstractRecord)(dlzType=soa))
ldaps:///dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com?dlzTTL,dlzType,dlzHostname,dlzPreference,dlzData,dlzIpAddr,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectClass=dlzAbstractRecord)(!(dlzType=soa)))
ldaps:///dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com??sub?(&(objectclass=dlzXFR)(dlzIPAddr=\$client\$))";
};

The logs shows the following errors:

allow zone transfer query must not specify a port
SDLZ driver failed to load
DLZ driver failed to load
Loading configuration: failure
Exiting (due to fatal error)
Failed to start Berkeley Internet Name Domain (DNS)


So I tried to use ldapi:

dlz "ldap zone" {
database "ldap 2
v3 simple {uid=bind/test-machine.example.com,ou=Services,dc=example,dc=com} {secret} localhost ldapi:///dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com???objectclass=dlzZone
ldapi:///dlzHostName=\$record\$,dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com?dlzTTL,dlzType,dlzPreference,dlzData,dlzIpAddr?sub?(&(objectclass=dlzAbstractRecord)(!(dlzType=soa)))
ldapi:///dlzHostName=@,dlzZoneName=\$zone\$,ou=dns,=dc=example,dc=com?dlzTTL,dlzType,dlzData,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectclass=dlzAbstractRecord)(dlzType=soa))
ldapi:///dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com?dlzTTL,dlzType,dlzHostname,dlzPreference,dlzData,dlzIpAddr,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectClass=dlzAbstractRecord)(!(dlzType=soa)))
ldapi:///dlzZoneName=\$zone\$,ou=dns,dc=example,dc=com??sub?(&(objectclass=dlzXFR)(dlzIPAddr=\$client\$))";
};

Same result on logs.


I think that OpenLDAP is correctly retrieved by bind.

# ldd /usr/sbin/named

[...]
Libldap_r-2.4.so.2 => /usr/lib64/libldap_r-2.4.so.2 (0x00007fc6d482d000) [...]

And the same for all the libraries like libssl, libgssapi_krb5... there are not any "not found" libraries.
I suppose that in case of any problem with libldap librarie, named could not connect to slapd without the olcSecurity SSF options either.



Thank you so much for your help.
Regards.























Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com










-----Mensaje original-----
That should be impossible.  Bind DLZ is compiled to use the same
openldap libraries that your openldap server is using.  If you configure
the query URL as ldapi then the same thing is being sent to
the libraries that ldapsearch is sending.  That is why you do not have
to do anything special other than change the query string to ldap: or
ldapi: or ldaps: in the dlz config.

Are you using the examples on
http://bind-dlz.dourceforge.net/ldap-_driver.html?

is dlz possibly dynamically linked and can't find the openldap libraries?

Ted



De: Dario García Díaz-Miguel
Enviado el: viernes, 12 de febrero de 2021 13:10
Para: [hidden email]
CC: skmf_support <[hidden email]>
Asunto: RE: Can't use Bind DLZ through LDAPS SSL

Hi Ted,

The values related with the issue configured on the slapd configuration are on my original message:

>
> - olcSecurity: ssf=256
> - olcLocalSSF: 256
> - olcRequires: authc
> - olcDisallow: bind_anon
> - olcTLSVerifyClient: try
>

Exactly, using LDAPI with my olcLocalSSF configuration is not using SSL and that's required due to some implementations.
The problem is that BIND DLZ is NOT using LDAPI nor LDAPS and I don't know how to configure it.

Ldapsearch -H ldapi:/// -D "cn=Administrator,dc=example,dc=com" -W --> works Ldapsearch -H ldaps://machine1.example.com -D "cn=Administrator,dc=example,dc=com" -W --> works Ldapsearch -H ldap://machine1.example.com -D "cn=Administrator,dc=example,dc=com" -W --> does not work Ldapsearch -H ldap://machine1.example.com -D "cn=Administrator,dc=example,dc=com" -W -Z  --> works

This is the expected behavior and not related at all with my original question.

I just asked how should we configure BIND DLZ to use LDAPS (636) or LDAPI instead of LDAP(389), since DLZ queries does not support port specifications.

Thank you so much.
Kind Regards.


-----Mensaje original-----
If the programs are both on the same machine and you are using ldapi with oldlocalSSF then you are NOT using SSL.

For starters on this machine if you simply run a LDAP query with the command line tools against the OpenLDAP server does it work?
Like ldapsearch -LLL -H ldapi://blardy blardy blar

What is in your slapd.lidf?  Usually there should be a
olcSecurity: ssf=something and this should match the
value you are using in the olclocalSSF   The command line ldap program
should pump out an error message if this mechanism is broken.

If you are not familiar with stunnel you should have looked up what it was before responding.  It's not going to be applicable here and I would not have suggested it if I had known both programs were on the same machine.

Ted


Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com











De: Dario García Díaz-Miguel
Enviado el: viernes, 12 de febrero de 2021 12:15
Para: [hidden email]
CC: skmf_support <[hidden email]>
Asunto: RE: Can't use Bind DLZ through LDAPS SSL

Hi Ted,

Thank you for your answer.
Both servers (OpenLDAP and BIND DLZ) are on the same machine.

LDAPI:/// socket has been configured to not require SSL with olcLocalSSF

If BIND DLZ is not supporting LDAPS, does it support any way to bind against LDAP using LDAPI?

I've tried to use the ldapi:/// as well as the ldaps:// on the queries and it does not work.
I also has tried adding the port to the hostnames on the connection parameters from named.conf and it also does not work.

About stunnel, I'm not sure since I'm not familiar with it and including a new software would suppose an approval request explaining good enough reasons to use it.

Thank you so much.
Regards.


Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com











-----Mensaje original-----
Date: Fri, 12 Feb 2021 01:29:17 -0800
From: Ted Mittelstaedt <[hidden email]>
To: [hidden email]
Subject: Re: Can't use Bind DLZ through LDAPS SSL
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Instead of beating your head against DLZ can't you simply put the DLZ query into stunnel and connect to the openldap server that way?

Ted

On 2/11/2021 10:39 PM, Dario Garc?a D?az-Miguel wrote:

> Hi there,
>
> I really don't know If this is the correct place to ask about Bind DLZ, but I'm afraid that I could not have any responses from the BIND DLZ mail list and, since this seems to be an "official" plugin and it's compiled on the bind9 package from the SuSE15 SP2 repository I will try to ask it over here.
> I've deployed an OpenLDAP using the security options recommended by my cybersecurity team:
>
> - olcSecurity: ssf=256
> - olcLocalSSF: 256
> - olcRequires: authc
> - olcDisallow: bind_anon
> - olcTLSVerifyClient: try
>
> So essentially right now is required to use certificates and LDAPS in order to bind to the OpenLDAP server. Otherwise a Confidential error will appear since TLS SSL Handshake is not possible. Well, this is the expected behavior.
> All the software of the environment works flawlessly using the SSL Certificates through LDAPS SSL except Bind DLZ. I could not find the way to configure it to use SSL.
>
> The Bind DLZ used is the one compiled with the BIND 9.16.6 (Stable Release) from the SUSE 15 SP2 repository.
>
> Could anybody help me?
>
> Thank you so much.
> Regards.
>
>
>
> Dario Garcia
> D?az-Miguel
> GGCS-SES Unit
> GGCS SKMF Infrastructure Division
> GMV
> C\ de Isaac Newton, 11
> 28760, Tres Cantos, Madrid
> Espa?a
> +34 918 07 21 00
> +34 918 07 21 99
> http://www.gmv.com

P Please consider the environment before printing this e-mail.


P Please consider the environment before printing this e-mail.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Can't use Bind DLZ through LDAPS SSL

Bind-Users forum mailing list
In reply to this post by Ted Mittelstaedt
On 2/12/21 4:49 AM, Ted Mittelstaedt wrote:
> If you are not familiar with stunnel you should have looked up what
> it was before responding.  It's not going to be applicable here and
> I would not have suggested it if I had known both programs were on
> the same machine.

What does being on the same machine have to do with using stunnel or not?

Won't stunnel be configured to listen on one port and connect to a
different port?

Thus the connections would be:

127.0.0.1:<abc> --- 127.0.0.1:389
127.0.0.1:<def> --- 127.0.0.1:639

What am I missing?



--
Grant. . . .
unix || die


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Can't use Bind DLZ through LDAPS SSL

Bind-Users forum mailing list
In reply to this post by Bind-Users forum mailing list
On 2/16/21 11:54 PM, Dario García Díaz-Miguel via bind-users wrote:
> Hi everybody,

Hi,

> Since I'm a little bit desperate with this issue, and after asking
> this on reddit (r/sysadmin) and serverfault with low or none responses,

I think it would be worth half an hour or so to test stunnel.  It should
be able to help prove your overall end to end design works.  Having a
successful end to end design will also help defend the use of the tool.

You can also probably dig deeper into why you might need stunnel
independently of does the design work.

Sometimes having additional information, via a crutch, helps in
diagnosing problems.



--
Grant. . . .
unix || die


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

smime.p7s (5K) Download Attachment