Can't use Bind DLZ through LDAPS SSL

Fri Feb 12 11:49:49 UTC 2021

If the programs are both on the same machine and you are using ldapi
with oldlocalSSF then you are NOT using SSL.

For starters on this machine if you simply run a LDAP query with
the command line tools against the OpenLDAP server does it work?
Like ldapsearch -LLL -H ldapi://blardy blardy blar

What is in your slapd.lidf?  Usually there should be a
olcSecurity: ssf=something and this should match the
value you are using in the olclocalSSF   The command line ldap program
should pump out an error message if this mechanism is broken.

If you are not familiar with stunnel you should have looked up what it 
was before responding.  It's not going to be applicable here and I
would not have suggested it if I had known both programs were on the
same machine.

Ted

On 2/12/2021 3:15 AM, Dario García Díaz-Miguel wrote:
> Hi Ted,
>
> Thank you for your answer.
> Both servers (OpenLDAP and BIND DLZ) are on the same machine.
>
> LDAPI:/// socket has been configured to not require SSL with olcLocalSSF
>
> If BIND DLZ is not supporting LDAPS, does it support any way to bind against LDAP using LDAPI?
>
> I've tried to use the ldapi:/// as well as the ldaps:// on the queries and it does not work.
> I also has tried adding the port to the hostnames on the connection parameters from named.conf and it also does not work.
>
> About stunnel, I'm not sure since I'm not familiar with it and including a new software would suppose an approval request explaining good enough reasons to use it.
>
> Thank you so much.
> Regards.
>
>
> Dario Garcia
> Díaz-Miguel
> GGCS-SES Unit
> GGCS SKMF Infrastructure Division
> GMV
> C\ de Isaac Newton, 11
> 28760, Tres Cantos, Madrid
> España
> +34 918 07 21 00
> +34 918 07 21 99
> www.gmv.com
>
>
>
>
>
>
>
>
>
>
>
> -----Mensaje original-----
> Date: Fri, 12 Feb 2021 01:29:17 -0800
> From: Ted Mittelstaedt<tedm at ipinc.net>
> To: bind-users at lists.isc.org
> Subject: Re: Can't use Bind DLZ through LDAPS SSL
> Message-ID:<60264A6D.1090409 at ipinc.net>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Instead of beating your head against DLZ can't you simply put the DLZ
> query into stunnel and connect to the openldap server that way?
>
> Ted
>
> On 2/11/2021 10:39 PM, Dario Garc?a D?az-Miguel wrote:
>> Hi there,
>>
>> I really don't know If this is the correct place to ask about Bind DLZ, but I'm afraid that I could not have any responses from the BIND DLZ mail list and, since this seems to be an "official" plugin and it's compiled on the bind9 package from the SuSE15 SP2 repository I will try to ask it over here.
>> I've deployed an OpenLDAP using the security options recommended by my cybersecurity team:
>>
>> - olcSecurity: ssf=256
>> - olcLocalSSF: 256
>> - olcRequires: authc
>> - olcDisallow: bind_anon
>> - olcTLSVerifyClient: try
>>
>> So essentially right now is required to use certificates and LDAPS in order to bind to the OpenLDAP server. Otherwise a Confidential error will appear since TLS SSL Handshake is not possible. Well, this is the expected behavior.
>> All the software of the environment works flawlessly using the SSL Certificates through LDAPS SSL except Bind DLZ. I could not find the way to configure it to use SSL.
>>
>> The Bind DLZ used is the one compiled with the BIND 9.16.6 (Stable Release) from the SUSE 15 SP2 repository.
>>
>> Could anybody help me?
>>
>> Thank you so much.
>> Regards.
>>
>>
>>
>> Dario Garcia
>> D?az-Miguel
>> GGCS-SES Unit
>> GGCS SKMF Infrastructure Division
>> GMV
>> C\ de Isaac Newton, 11
>> 28760, Tres Cantos, Madrid
>> Espa?a
>> +34 918 07 21 00
>> +34 918 07 21 99
>> http://www.gmv.com
>
> P Please consider the environment before printing this e-mail.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users