Hello, I'm trying to set up a centos 5.3 machine to do authentication via openldap. I've got it working, I'm not sure if I have it 100% right, but I can use ldapsearch to query the directory, use finger, id, chown, and other utilities with ldap usernames and groups, log in via ssh as an ldap user and if it's a new user automatically have the home directory created. Having got this far if anyone with a working ldap authentication system could give my config a sanity check let me know. My goal now is to get tls encryption going so that usernames and passwords aren't sent in the clear. I'm using self-signed certificates for now. Any help appreciated. Thanks. Dave.
On Tue, May 24, 2011 at 04:49:09PM -0400, David Mehler wrote:> Hello, > I'm trying to set up a centos 5.3 machine to do authentication via > openldap. I've got it working, I'm not sure if I have it 100% right, > but I can use ldapsearch to query the directory, use finger, id, > chown, and other utilities with ldap usernames and groups, log in via > ssh as an ldap user and if it's a new user automatically have the home > directory created. > > Having got this far if anyone with a working ldap authentication > system could give my config a sanity check let me know. My goal now is > to get tls encryption going so that usernames and passwords aren't > sent in the clear. I'm using self-signed certificates for now.I'm going to post a link to my own page on it---which has links to other pages. Among other things, it goes through TLS. http://home.roadrunner.com/~computertaijutsu/ldap.html -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 Willow: The school paper is edging on depressing lately. Have you guys noticed that? Oz: I don't know. I always go straight to the obits.
David Mehler wrote:> Hello, > I'm trying to set up a centos 5.3 machine to do authentication via > openldap. I've got it working, I'm not sure if I have it 100% right, > but I can use ldapsearch to query the directory, use finger, id, > chown, and other utilities with ldap usernames and groups, log in via > ssh as an ldap user and if it's a new user automatically have the home > directory created. > > Having got this far if anyone with a working ldap authentication > system could give my config a sanity check let me know. My goal now is > to get tls encryption going so that usernames and passwords aren't > sent in the clear. I'm using self-signed certificates for now. >First, I suspect you'll get a ton of replies saying that you should upgrade to 5.6 from 5.3. Second, you've gotten that far; when I was dealing with openldap, I rather liked webmin to do my sanity checks for it. mark
On Tue, 24 May 2011, David Mehler wrote:> Having got this far if anyone with a working ldap authentication > system could give my config a sanity check let me know. My goal now > is to get tls encryption going so that usernames and passwords > aren't sent in the clear. I'm using self-signed certificates for > now.This /etc/ldap.conf works well for me on CentOS 5: ----- %< ----- # failover doesn't work using the newer 'uri' directive. # can go to ldap1; use ldap2 for backup host ldap1.domain.com ldap2.domain.com port 389 base dc=domain,dc=com # encrypt queries over the wire; our servers require it ssl start_tls tls_checkpeer yes tls_cacertdir /etc/openldap/cacerts # set time limits fairly low to get benefit of failover bind_timelimit 30 idle_timelimit 120 timelimit 30 # a stock centos/rhel directive; its utility is murky to me nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman ----- %< ----- Prior to switching to LDAP, I download the CA certificate used to sign the ldap1 and ldap2 server certs and hash it for OpenSSL. I typically do it via the %post section in kickstart: curl http://www.domain.com/ca/ca.domain.com.crt \ -s -o /etc/openldap/cacerts/ca.domain.com.pem /usr/sbin/cacertdir_rehash /etc/openldap/cacerts -- Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
I think that the most secure setup is to use both LDAPI (ldap connections over Unix sockets) for connections inside the ldap server and TLS for connections from everywhere else on the network. Plus, ldapi connections are much faster than TCP connections. Am I wrong?