[Pdns-users] PDNS 2.9.21.1, LDAP Backend + TLS.
Jason Hansen
jhansen at xmission.com
Tue Aug 19 18:33:57 UTC 2008
Hello all,
I'm currently testing pdns+ldap and I'm having difficulty when the ldap server requires TLS. Digging through the list archives my problems appear related to:
http://mailman.powerdns.com/pipermail/pdns-users/2006-September/003802.html
http://mailman.powerdns.com/pipermail/pdns-users/2008-June/005489.html
Unfortunately the threads died without resolution.
My environment consists of two CentOS 5.1 servers dns01 and ldap2, each running their respective daemons.
LDAP Server (ldap2):
openldap 2.4.11 (compiled from source)
openssl-0.9.8b-8.3.el5_0.2 (standard distro)
relevant config for ldap is 'security tls=1'
PDNS Server (dns01):
pdns 2.9.21.1 (compiled from source)
openssl-0.9.8b-8.3.el5_0.2 (standard distro)
openldap-2.3.27-8.el5_1.3 (standard distro)
pdns config (/etc/pdns.conf):
launch=ldap
loglevel=9
ldap-method=tree
ldap-basedn=ou=domains,dc=dns
ldap-binddn=cn=Manager,dc=dns
ldap-secret=REDACTED
ldap-starttls=yes
ldap-host=ldap://ldap2:389
When I launch pdns_server and it spawns the backend threads they are all rejected by the ldap server due to 'Confidentiality required'. Queries for dns records in the tree obviously timeout.
[root at dns01 pdns]# pdns_server
Aug 19 12:05:35 [LdapBackend] This is the ldap module version 2.9.21.1 (Aug 19 2008, 09:24:31) reporting
Aug 19 12:05:35 This is a standalone pdns
Aug 19 12:05:35 Listening on controlsocket in '/var/run/pdns.controlsocket'
Aug 19 12:05:35 It is advised to bind to explicit addresses with the --local-address option
Aug 19 12:05:35 UDP server bound to 0.0.0.0:53
Aug 19 12:05:35 TCP server bound to 0.0.0.0:53
Aug 19 12:05:35 PowerDNS 2.9.21.1 (C) 2001-2008 PowerDNS.COM BV (Aug 19 2008, 09:26:23, gcc 4.1.2 20070626 (Red Hat 4.1.2-14)) starting up
Aug 19 12:05:35 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Aug 19 12:05:35 Set effective group id to 99
Aug 19 12:05:35 Set effective user id to 99
Aug 19 12:05:35 Creating backend connection for TCP
Aug 19 18:05:35 [LdapBackend] LDAP servers = ldap://ldap2:389
Aug 19 18:05:35 Launched webserver on dns01:8081
Aug 19 18:05:36 [LdapBackend] Ldap connection to server failed: Failed to bind to LDAP server: Confidentiality required
Aug 19 18:05:36 Caught an exception instantiating a backend, cleaning up
Aug 19 18:05:36 TCP server is unable to launch backends - will try again when questions come in: Unable to connect to ldap server
Aug 19 18:05:36 About to create 3 backend threads for UDP
Aug 19 18:05:36 [LdapBackend] LDAP servers = ldap://ldap2:389
Aug 19 18:05:36 [LdapBackend] Ldap connection to server failed: Failed to bind to LDAP server: Confidentiality required
Aug 19 18:05:36 Caught an exception instantiating a backend, cleaning up
Aug 19 18:05:36 [LdapBackend] LDAP servers = ldap://ldap2:389
Aug 19 18:05:36 [LdapBackend] Ldap connection to server failed: Failed to bind to LDAP server: Confidentiality required
Aug 19 18:05:36 Caught an exception instantiating a backend, cleaning up
Aug 19 18:05:36 [LdapBackend] LDAP servers = ldap://ldap2:389
Aug 19 18:05:36 [LdapBackend] Ldap connection to server failed: Failed to bind to LDAP server: Confidentiality required
Aug 19 18:05:36 Caught an exception instantiating a backend, cleaning up
Aug 19 18:05:36 Done launching threads, ready to distribute questions
LDAP server log corroborates:
conn=82 fd=25 ACCEPT from IP=dns01:35481 (IP=0.0.0.0:389)
conn=82 op=0 BIND dn="cn=Manager,dc=dns" method=128
conn=82 op=0 RESULT tag=97 err=13 text=TLS confidentiality required
conn=82 op=1 UNBIND
conn=82 fd=25 closed
conn=83 fd=25 ACCEPT from IP=dns01:35482 (IP=0.0.0.0:389)
conn=83 op=0 BIND dn="cn=Manager,dc=dns" method=128
conn=83 op=0 RESULT tag=97 err=13 text=TLS confidentiality required
conn=83 op=1 UNBIND
conn=83 fd=25 closed
conn=84 fd=25 ACCEPT from IP=dns01:35483 (IP=0.0.0.0:389)
conn=84 op=0 BIND dn="cn=Manager,dc=dns" method=128
conn=84 op=0 RESULT tag=97 err=13 text=TLS confidentiality required
conn=84 op=1 UNBIND
conn=84 fd=25 closed
conn=85 fd=25 ACCEPT from IP=dns01:35484 (IP=0.0.0.0:389)
conn=85 op=0 BIND dn="cn=Manager,dc=dns" method=128
conn=85 op=0 RESULT tag=97 err=13 text=TLS confidentiality required
conn=85 op=1 UNBIND
conn=85 fd=25 closed
A packet capture (wireshark) between the two boxes indicates that PDNS doesn't even attempt STARTTLS, rather a simple bind:
185.166713 dns01 -> ldap2 TCP 40146 > 389 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=2206771172 TSER=0 WS=2
185.166902 ldap2 -> dns01 TCP 389 > 40146 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=85428597 TSER=2206771172 WS=2
185.166926 dns01 -> ldap2 TCP 40146 > 389 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=2206771173 TSER=85428597
185.166990 dns01 -> ldap2 LDAP bindRequest(1) simple
185.167138 ldap2 -> dns01 TCP 389 > 40146 [ACK] Seq=1 Ack=48 Win=5792 Len=0 TSV=85428597 TSER=2206771173
185.167576 ldap2 -> dns01 LDAP bindResponse(1) confidentialityRequired (TLS confidentiality required)
185.167598 dns01 -> ldap2 TCP 40146 > 389 [ACK] Seq=48 Ack=43 Win=5840 Len=0 TSV=2206771173 TSER=85428598
185.167663 dns01 -> ldap2 LDAP unbindRequest(2)
185.167681 dns01 -> ldap2 TCP 40146 > 389 [FIN, ACK] Seq=55 Ack=43 Win=5840 Len=0 TSV=2206771173 TSER=85428598
185.167896 ldap2 -> dns01 TCP 389 > 40146 [FIN, ACK] Seq=43 Ack=56 Win=5792 Len=0 TSV=85428598 TSER=2206771173
Testing from dns01 -> ldap2 with ldapsearch works as expected:
[root at dns01 pdns]# ldapsearch -ZZ -x -h ldap2 -b "ou=domains,dc=dns" "(objectClass=*)"
# extended LDIF
#
# LDAPv3
# base <ou=domains,dc=dns> with scope subtree
# filter: (objectClass=*)
# requesting: ALL
...
# search result
search: 3
result: 0 Success
# numResponses: 10
# numEntries: 9
After various tinkering with ldaprc, /etc/openldap/ldap.conf, /etc/ldap.conf I'm pretty much out of ideas, and I'd rather not disable tls requirements between these two servers.
Any ideas?
Jason
More information about the Pdns-users
mailing list