Q: El Capitan + Server 5.0.15 No LDAP SSL TLS Certificate
-
Nov 3, 2015 11:54 AMby CJLinst,I can authenticate anything that does not require SSL/TLS for LDAP (which should be nothing, but that's a different subject).
More info. Logs with no certificate selected for OpenDirectory:
Nov 3 11:42:08 server slapd[62351]: @(#) $OpenLDAP: slapd 2.4.28 (Aug 22 2015 16:55:32) $
root@osx004.apple.com:/Library/Caches/com.apple.xbs/Binaries/OpenLDAP/OpenLDAP-510.23~39/Objects/serv ers/slapd
Nov 3 11:42:08 server slapd[62351]: daemon: SLAP_SOCK_INIT: dtblsize=8192
Nov 3 11:42:08 server slapd[62351]: main: Enabling TLS failed; continuing with TLS disabled.
Nov 3 11:42:08 server slapd[62351]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
Nov 3 11:42:08 server slapd[62351]: slapd starting
Nov 3 11:42:08 server slapd[62351]: daemon: posting com.apple.slapd.startup notification
Logs with certificate selected for OpenDirectory:
Nov 3 11:43:11 server slapd[62390]: @(#) $OpenLDAP: slapd 2.4.28 (Aug 22 2015 16:55:32) $
root@osx004.apple.com:/Library/Caches/com.apple.xbs/Binaries/OpenLDAP/OpenLDAP-510.23~39/Objects/serv ers/slapd
Nov 3 11:43:11 server slapd[62390]: daemon: SLAP_SOCK_INIT: dtblsize=8192
Nov 3 11:43:11 server slapd[62390]: TLS: OPENDIRECTORY_SSL_IDENTITY identity preference overrode configured olcTLSIdentity "APPLE:server.admin.redacted.com"
Nov 3 11:43:12 server slapd[62390]: TLS: Can't get or use private key for olcTLSIdentity "APPLE:server.admin.redacted.com"; is it application-restricted?
Nov 3 11:43:12 server slapd[62390]: main: TLS init def ctx failed: -1
Nov 3 11:43:12 server slapd[62390]: main: Enabling TLS failed; continuing with TLS disabled.
Nov 3 11:43:12 server slapd[62390]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
Nov 3 11:43:12 server slapd[62390]: slapd starting
Nov 3 11:43:12 server slapd[62390]: daemon: posting com.apple.slapd.startup notification
It cannot open the key for whatever reason. I cannot find where the key files are set. It doesn't appear to be in cn=config.
-
Nov 3, 2015 12:52 PMby CJLinst,Thanks, but this has nothing to do with client protection against logjam. The server is refusing to start with TLS enabled at all.
I am wondering if it is because /usr/bin/slapconfig does not have permission to read the private key out of the keychain, but I cannot change that either (with Keychain Access.app at least) because "Authorization via securityd no longer supported"
-
Nov 3, 2015 12:59 PMby CJLinst,I just tried to generate a key starting in Server.app to see if it's something about my CA-issued cert but I get to the point where it wants to export the key from the keychain and get
Nov 3 12:55:29 server SecurityAgent[1348]: Ignoring user action since the dialog has received events from an untrusted source
Looking like they needed a few more meetings between departments before implementing these changes.
-
Nov 3, 2015 1:35 PMby Linc Davis,Back up all data.
Quit the Server application and drag it to the Trash, but don't empty. You'll be prompted to confirm that you want to stop all services. You won't lose any data.
If you're using the server for DNS, temporarily change the primary DNS setting in the Network preference pane to another DNS.
Put the app back where it was and launch it. Test.
Revert the DNS setting, if applicable.
-
Nov 3, 2015 4:11 PMby CJLinst,SHA-256 signature, RSA 2048. Everything but slapd seems fine with it.
Before I punt and completely reinstall can anyone confirm their slapd is loading with certificates on El Capitan 10.11.1 + Server 5.0.15?
Quick test:
bash3.2# ldapsearch -Z
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
SASL/SRP authentication started
Please enter your password:
bash3.2#
ldapsearch tries TLS, fails, then it falls to SASL.
bash3.2# ldapsearch -ZZ
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
bash3.2#
ldapsearch tries TLS, it fails, and since it's required by -ZZ it exits.
This all worked fine on Yosemite.
-
Nov 3, 2015 6:25 PMby Linc Davis,Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.
1. The OD master must have a static IP address on the local network, not a dynamic address. It must not be connected to the same network with more than one interface; e.g., Ethernet and Wi-Fi.
2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.
3. The primary DNS server used by the server must be itself, unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.
4. If you have accounts with network home directories, make sure the URL's are correct in the user settings. A return status of 45 from the authorizationhost daemon in the log may mean that the URL for mounting the home directory was not updated after a change in the hostname or in the file-sharing protocol (from AFP to SMB or vice versa.) If the server and clients are all running OS X 10.10 or later, directories should be shared with SMB rather than AFP.
5. Follow these instructions to rebuild the Kerberos configuration on the server.
6. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases. Otherwise delete all certificates and create new ones.
In the case of a self-signed certificate, create a trust profile in Profile Manager and deploy it on the clients. On the server, you may need to create the folder
/etc/openldap/certs
and put a copy of the server's certificate in it; for example:
/etc/openldap/certs/server-nameAlso add a directive to the file
/etc/openldap/ldap.conf
of the form
TLS_CACERT /etc/openldap/certs/server-name7. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.
8. Reboot the master and the clients.
9. Don't log in to the server with a network user's account.
10. Disable any internal firewalls in use, including third-party "security" software.
11. If you've created any replica servers, delete them.
12. If OD has only recently stopped working when it was working before, you may be able to restore it from the automatic backup in /var/db/backups, or from a Time Machine snapshot of that backup.
13. If there are slapd errors in the log, try the following steps.
Turn off Open Directory in the Server app.
Enter in a shell:
cd /var/db/openldap
sudo -s
db_recover -c -h authdata
db_recover -c -h openldap-data
Turn Open Directory back on.
14. Reset the password policy database:
sudo pwpolicy -clearaccountpolicies
15. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. In some cases, you may have to use the shell to delete the server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.
-
Nov 3, 2015 7:36 PMby CJLinst,OD is working fine, save for starting TLS/SSL.
Dude. The problem is right here:
Nov 3 11:43:11 server slapd[62390]: daemon: SLAP_SOCK_INIT: dtblsize=8192
Nov 3 11:43:11 server slapd[62390]: TLS: OPENDIRECTORY_SSL_IDENTITY identity preference overrode configured olcTLSIdentity "APPLE:server.admin.redacted.com"
Nov 3 11:43:12 server slapd[62390]: TLS: Can't get or use private key for olcTLSIdentity "APPLE:server.admin.redacted.com"; is it application-restricted?
Nov 3 11:43:12 server slapd[62390]: main: TLS init def ctx failed: -1
Nov 3 11:43:12 server slapd[62390]: main: Enabling TLS failed; continuing with TLS disabled.
-
Nov 4, 2015 8:10 AMby Blaidd Drwg,For the specific message you highlighted in the slapd.log snippet, you could check the following. In Keychain Access, select the System keychain. Select "Certificates" under category and select the certificate with name "server.admin.redacted.com". Click the disclosure triangle next to that certificate and you'll see its private key. Double click it and inspect the access tab. Its access control should be set to "Allow all applications to access this item" or /usr/libexec/slapd should be allowed access.
