jcfergus1 Absent Member.
Absent Member.
520 views

start_tls without anonymous simple bind?


Is it possible to use start_tls on port 389 without having anonymous
simple bind enabled? As far as I can tell it's not, but it would be
nice to have confirmation of this.

(eDirectory 8.8.5 SP2 on SuSE)

If I turn on "Require TLS for all operations", "Disallow Anonymous
Simple Bind", and "Require TLS for Simple Binds with Password", I cannot
seem to authenticate to my eDirectory instance on port 389 using
start_tls. (SSL port 636 still works fine.)

ldapsearch returns:


Code:
--------------------
ldapsearch -ZZ -x -h edirectory.example.com -D "cn=bob,o=example" -W -p 389 -LLL -P 3 -s one objectClass=* -v
ldap_initialize( ldap://edirectory.example.com:389 )
ldap_start_tls: Inappropriate authentication (48)
additional info: Anonymous Simple Bind Disabled.
--------------------


dstrace shows:


Code:
--------------------
INFO: Implied anonymous bind by operation 0x1:0x77 on connection 0x27cff780
INFO: Sending operation result 48:"":"Anonymous Simple Bind Disabled." to connection 0x27cff780
INFO: Monitor 0xf6107ba0 found connection 0x27cff780 socket closed, err = -5871, 0 of 0 bytes read
INFO: Monitor 0xf6107ba0 initiating close for connection 0x27cff780
INFO: Server closing connection 0x27cff780, socket error = -5871
INFO: Connection 0x27cff780 closed
--------------------


If I turn off "Disallow Anonymous Bind", it works fine, but I really
don't want to go mucking around with [PUBLIC] permissions to restrict
the proxy user to have no access. (It shouldn't break anything, but...)
So is there any way to allow connections on 389 to do START_TLS without
enabling anonymous simple bind?


--
jcfergus
------------------------------------------------------------------------
jcfergus's Profile: http://forums.novell.com/member.php?userid=402
View this thread: http://forums.novell.com/showthread.php?t=448803


Labels (1)
0 Likes
5 Replies
Anonymous_User Absent Member.
Absent Member.

Re: start_tls without anonymous simple bind?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bug# 733188 reported. You may want to open an SR to await a fix.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJO1AjjAAoJEF+XTK08PnB5bCcP/jqBQhMM4UyzIh1BbQc17EiU
jSNwBArxvUwBQio1xhpG/Li4kPs0ugJlqfBDpigE9MxoI9LP4hOiS/muMFPP/EFJ
3m0jFQJGwGEDmQFSnWkG0Y1efoS8DIUuEC4fCGHFP5B89/wHXet9MBI8SwwsXPs5
GgzbALZ42lbRnvwBsLSB4qC5Oy9Hnzn/YBS39WW3L6MQE+AM69YAPU2eTdwAp50c
Yq8QXp6lEYyO+J/BhlmgrkU/krsGgwXMb7dQBT7ollz3LIRbmSIZrgSMGAXEWlBR
Pr8nFdlq1iom27bV7X9/1I7iD7Sju4YZtft4IGyhx14VK/ZtRGjf2QrDK1EQPSJl
XWNAOkD9ylJnrfWz8vAvJ0J/49qWXUCEeNSrFPwHJcvHDCS6PvRzWf1IF/pz0kJK
uEJzHWSV3HgxcGJrKK1oFIraEzxqRhvhV2lsDT4+rPwtaxfoZTP3FopNvz8Up3zp
OizBr9q+2q3dxndY9dkzy9Rp3pqE7WEykaMCS+8OdIzEYOKiZVe6AUwXvviGCSQ2
vZTovW8UjI1ShIcHMcQT1XxtQnXbh/u7duSXQYQusNDghn1iNs1wKpZ+Q2Q6A6k8
BqQDW3SRu/obVTkugjTUIbqTRJKJZNDB8agaFF713M7g95fXsnnVB/XnXqwQD10H
ARVoFjayavasNs0lcljE
=/K0u
-----END PGP SIGNATURE-----
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: start_tls without anonymous simple bind?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Silly me... I forgot to mention I verified this on 8.8 SP6 Patch 3 as
well. I did not test Patch 4 (no time yet) but it is not listed as a
fix for that in the TID of all changes so I expect it is not fixed yet.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJO1AkUAAoJEF+XTK08PnB5X+YP+wc1vVNCxSmhUZm38mq1oFKn
DHp6eU7C0ni/bz2gn6r4dTxNn4hi6UF1PIyv9iuBf1039RJjsrVJhpveAFa+5vdC
se8B7hOCkoZ8C7fpUQJ7F0GLzMUeSzxQYz+UITFj0CpKBn7dm0IqtlHzCML07Mqr
25kmfPRxQBbvCpx+1t5rjA+2LAPQ43MdYGN2NcpOATneucdq6rDA8E3Bs/H+E2YP
n3tK/qFLr1ad4M1sFGwM4AFWoGRILldQCfTltEoiUvGe3FaniTKc4GwN+rqoOMih
rNSAQdGyc8/76ZMr3AKVwICNEZZOFUGpfkuUKchtWTHU6vdJHaW6r6N7YU0yJ9Pq
mHOWODbqAT9PjYyQX4O1R/Q0OTX4We1Adjqp0HRjxt3drQHfZePDILOWG5zinBfx
cXxcLjDQqokysFklPUtqAJyfp1beD3HwV+v17EHYK/075ZSB2mqK8wbyWbaT+2pF
VkwR+KVKxgOHuKGzYk6CsGv/ZjQ/4Xpa87IO1YBKlK8SB2yvtMRVYNuoCqGsI517
cxDaFo91ByUxLJnDXwBu5UxOtnHqT/j52OzA3WPsUZH+gbvv6X/MzCaCyX05XXKu
j47+Y34r8fdH431sofRQEQZnssTissd3dr4QzcyKUy32dGYbEYqZP5c0AHYSnKTr
gVs8OPjDok5SKV3FxY2j
=Hd0K
-----END PGP SIGNATURE-----
0 Likes
jcfergus1 Absent Member.
Absent Member.

Re: start_tls without anonymous simple bind?


Wow, thanks! An SR was going to be our next step - glad to know I
wasn't just missing something obvious.


--
jcfergus
------------------------------------------------------------------------
jcfergus's Profile: http://forums.novell.com/member.php?userid=402
View this thread: http://forums.novell.com/showthread.php?t=448803


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: start_tls without anonymous simple bind?


I ran into the same issue.. any solution/fix info would be useful.. it
is a bug really - RFC4513 states:

There is no general requirement that the client have or have not
already performed a Bind operation (Section 5) before sending a
StartTLS operation request; however, where a client intends to
perform both a Bind operation and a StartTLS operation, it SHOULD
first perform the StartTLS operation so that the Bind request and
response messages are protected by the data security services
established by the StartTLS operation.


That means an anonymous bind should not be required to establish TLS.


--
rapatel
------------------------------------------------------------------------
rapatel's Profile: http://forums.novell.com/member.php?userid=47496
View this thread: http://forums.novell.com/showthread.php?t=448803

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: start_tls without anonymous simple bind?

rapatel wrote:

>
> I ran into the same issue.. any solution/fix info would be useful..
> it is a bug really - RFC4513 states:
>
> There is no general requirement that the client have or have not
> already performed a Bind operation (Section 5) before sending a
> StartTLS operation request; however, where a client intends to
> perform both a Bind operation and a StartTLS operation, it SHOULD
> first perform the StartTLS operation so that the Bind request and
> response messages are protected by the data security services
> established by the StartTLS operation.
>
>
> That means an anonymous bind should not be required to establish TLS.


It hasn't been fixed yet, if you want this to speed up I suggest you
open a SR and mention the bug Aaron posted (Bug# 733188)

--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.