CentOS - Oct 2010 - LDAP authentication on a remote server (via ldaps://)

Hello,

I have a central repository of users/groups based on OpenLDAP which is
working on a remote LAN (servers share users credentials and mount
their home directories via NFS). They use non-encrypted ldap
restricted to the local network.

Now, I have a few servers in our local office and I would like them to
authenticate from the remote LDAP server using encryption via
ldaps://.
(at this stage, without using client-side certificate)

I have run a similar command as I did on the remote servers, replacing
ldap://localldapserver by ldaps://ldap.mycompany.com:
authconfig --enableldap --enableldapauth --enablecache
--enablemkhomedir --ldapserver=ldaps://ldap.mycompany.com
--enableldaptls --ldapbasedn=dc=mycompany,dc=com --passalgo=sha256
--updateall

and I put the CA certificate at the right place.
(either explicitly pointing to it TLS_CACERT or downloading it to
/etc/openldap/cacerts vi system-configuration-authentication)

In all my various tests,
ldapsearch -x
returns the content of the remote LDAP, so I guess that at least
openldap clients are properly configured.

But when I try:
getent passwd
the command hangs.

Same when I try to:
su - myuser

(I also tried configuring with the system-configuration-authentication
UI from a box with GNOME, and also tried authconfig without
--enableldaptls)

So is there anything specific to authentication ldaps: that I should have done?
(as I said, this approach systematically works with plain ldap on this
same LDAP server)

Thanks in advance for your help!

Mathieu

Note: all systems involved are running up to date CentOS 5.5

On Wed, Oct 06, 2010 at 10:24:44AM +0200, Mathieu Baudier
wrote:
> Hello,
> 
> 
> Now, I have a few servers in our local office and I would like them to
> authenticate from the remote LDAP server using encryption via
> ldaps://.
> (at this stage, without using client-side certificate)
> 
> I have run a similar command as I did on the remote servers, replacing
> ldap://localldapserver by ldaps://ldap.mycompany.com:
> authconfig --enableldap --enableldapauth --enablecache
> --enablemkhomedir --ldapserver=ldaps://ldap.mycompany.com
> --enableldaptls --ldapbasedn=dc=mycompany,dc=com --passalgo=sha256
> --updateall
Did you, on the server, change the new, undocumented, /etc/sysconfig/ldap
file's entry for SLAPD_LDAPS and restart the ldap service on the server?

(It's documented in the CentOS wiki's FAQ, however, apparently no one at
RH figured it merited mention.)  


-- 
Scott Robbins
PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6

Xander: I laugh in the face of danger.  Then I hide until it
goes away

On Wed, 6 Oct 2010, Mathieu Baudier wrote:
> Now, I have a few servers in our local office and I would like them to
> authenticate from the remote LDAP server using encryption via
> ldaps://.
> (at this stage, without using client-side certificate)
>
> I have run a similar command as I did on the remote servers, replacing
> ldap://localldapserver by ldaps://ldap.mycompany.com:
> authconfig --enableldap --enableldapauth --enablecache
> --enablemkhomedir --ldapserver=ldaps://ldap.mycompany.com
> --enableldaptls --ldapbasedn=dc=mycompany,dc=com --passalgo=sha256
> --updateall
>
> and I put the CA certificate at the right place.
> (either explicitly pointing to it TLS_CACERT or downloading it to
> /etc/openldap/cacerts vi system-configuration-authentication)
>
> In all my various tests,
> ldapsearch -x
> returns the content of the remote LDAP, so I guess that at least
> openldap clients are properly configured.
>
> But when I try:
> getent passwd
> the command hangs.
I've never done ldaps to port 636, only TLS to port 389, so some of my
comments may be slightly off-base in your situtation.

Here are the changes I'd review:

  1. After installing the CA cert, did you create a hash link? E.g.,

     /usr/sbin/cacertdir_rehash /etc/openldap/cacerts

  2. Make sure you know the difference between /etc/ldap.conf and
     /etc/openldap/ldap.conf. The former is used by nss_ldap, the
     latter by openldap clients.

  3. Does /etc/ldap.conf have all the correct TLS entries, e.g.,

     ssl start_tls
     tls_checkpeer yes
     tls_cacertdir /etc/openldap/cacerts

     Additionally, I've had trouble using the "uri" directive
     in /etc/ldap.conf, esp. with encrypted connections. The
     "host" and "port" directives have worked better for me.

  4. Does /etc/pam.d/system-auth have pam_ldap.so entries for
     auth, account, password, and session?

  5. Are you running nscd? (I've found it indispensable when working
     with network auth.)

  6. Review the changes to /etc/nsswitch.conf to make sure that
     the passwd, shadow, and group entries all query ldap.

-- 
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/