Mathieu Baudier
2010-Oct-06 16:35 UTC
[CentOS] LDAP authentication on a remote server (via ldaps://) [SOLVED]
> Here are the changes I'd review: > > ?1. After installing the CA cert, did you create a hash link? E.g., > > ? ? /usr/sbin/cacertdir_rehash /etc/openldap/cacerts > > ?2. Make sure you know the difference between /etc/ldap.conf and > ? ? /etc/openldap/ldap.conf. The former is used by nss_ldap, the > ? ? latter by openldap clients. > > ?3. Does /etc/ldap.conf have all the correct TLS entries, e.g., > > ? ? ssl start_tls > ? ? tls_checkpeer yes > ? ? tls_cacertdir /etc/openldap/cacerts > > ? ? Additionally, I've had trouble using the "uri" directive > ? ? in /etc/ldap.conf, esp. with encrypted connections. The > ? ? "host" and "port" directives have worked better for me. > > ?4. Does /etc/pam.d/system-auth have pam_ldap.so entries for > ? ? auth, account, password, and session? > > ?5. Are you running nscd? (I've found it indispensable when working > ? ? with network auth.) > > ?6. Review the changes to /etc/nsswitch.conf to make sure that > ? ? the passwd, shadow, and group entries all query ldap.Thanks a lot for this check-list (I recommend it for others in the future). I had already checked most of the points, but I still played around with your ideas, without success But, this remark:> I've never done ldaps to port 636, only TLS to port 389, so some of my > comments may be slightly off-base in your situtation.made me think of checking what should be the difference between a START_TLS on a plain ldap port and ldaps on the ssl port In /etc/ldap.conf: for ldap + START_TLS this is indeed> ssl start_tlsbut for ldaps (my case) this should be: ssl on Changing the value of 'ssl' to 'on' solved my problem! (and this explains why my ldapsearch queries were working: as you pointed out, /etc/ldap.conf is for the configuration of nss_ldap) IMHO, the comments in /etc/ldap.conf could be a bit more explicit on the 'on' value: ... # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 #ssl start_tls #ssl on ... Thanks a lot for your help!
Miguel Medalha
2010-Oct-06 18:06 UTC
[CentOS] LDAP authentication on a remote server (via ldaps://) [SOLVED]
Are you aware that SSL on port 636 is now considered deprecated in favor of START_TLS on port 389?
Scott Robbins
2010-Oct-06 18:50 UTC
[CentOS] LDAP authentication on a remote server (via ldaps://) [SOLVED]
On Wed, Oct 06, 2010 at 06:35:14PM +0200, Mathieu Baudier wrote:> > IMHO, the comments in /etc/ldap.conf could be a bit more explicit on > the 'on' value:IMNSHO most docmentation on LDAP is laughable, and perhaps one of the main reasons Active Directory has become so much more popular. Say what you want about MS, but it does seem to me, that at least on the syadmin and user side that their documentation is usually quite good, at least since Windows 2000. RH in particular has some really poor docs--as mentioned earlier, they didn't feel it necessary to mention that they'd broken SSL and TLS. As the authors of the excellent ldap for rocket scientists page say. "The bad news is that IOHO never has so much been written so incomprehensibly about a single topic with the possible exceptions of BIND." (That page is at http://www.zytrax.com/books/ldap/) Might as well spam my own page while at it. :) http://home.roadrunner.com/~computertaijutsu/ldap.html Grouchily yours (and REALLY sick of the low quality of so much Linux documentation) -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 Gunn: Fair Cordelia. You still savin' my life? Cordelia: Every minute. Gunn: How's that workin' out? Cordelia: You're alive aren't you?
Reasonably Related Threads
- LDAPs causing System Message Bus to hang when there's no network
- CentOS7: Setting up ldap over TLS in kickstart file
- LDAP authentication on a remote server (via ldaps://)
- LDAP clients fail to connect with SSL enabled
- Problem with User and Group Ownership listing