CentOS - Oct 2010 - LDAP authentication on a remote server (via ldaps://) [SOLVED]

> Here are the changes I'd review:
>
> ?1. After installing the CA cert, did you create a hash link? E.g.,
>
> ? ? /usr/sbin/cacertdir_rehash /etc/openldap/cacerts
>
> ?2. Make sure you know the difference between /etc/ldap.conf and
> ? ? /etc/openldap/ldap.conf. The former is used by nss_ldap, the
> ? ? latter by openldap clients.
>
> ?3. Does /etc/ldap.conf have all the correct TLS entries, e.g.,
>
> ? ? ssl start_tls
> ? ? tls_checkpeer yes
> ? ? tls_cacertdir /etc/openldap/cacerts
>
> ? ? Additionally, I've had trouble using the "uri" directive
> ? ? in /etc/ldap.conf, esp. with encrypted connections. The
> ? ? "host" and "port" directives have worked better for
me.
>
> ?4. Does /etc/pam.d/system-auth have pam_ldap.so entries for
> ? ? auth, account, password, and session?
>
> ?5. Are you running nscd? (I've found it indispensable when working
> ? ? with network auth.)
>
> ?6. Review the changes to /etc/nsswitch.conf to make sure that
> ? ? the passwd, shadow, and group entries all query ldap.
Thanks a lot for this check-list (I recommend it for others in the future).

I had already checked most of the points, but I still played around
with your ideas, without success

But, this remark:
> I've never done ldaps to port 636, only TLS to port 389, so some of my
> comments may be slightly off-base in your situtation.
made me think of checking what should be the difference between a
START_TLS on a plain ldap port and ldaps on the ssl port

In /etc/ldap.conf:

for ldap + START_TLS this is indeed
>     ssl start_tls
but for ldaps (my case) this should be:
ssl on

Changing the value of 'ssl' to 'on' solved my problem!
(and this explains why my ldapsearch queries were working: as you
pointed out, /etc/ldap.conf is for the configuration of nss_ldap)

IMHO, the comments in /etc/ldap.conf could be a bit more explicit on
the 'on' value:

...
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
...

Thanks a lot for your help!

Are you aware that SSL on port 636 is now considered deprecated in favor 
of START_TLS on port 389?

On Wed, Oct 06, 2010 at 06:35:14PM +0200, Mathieu Baudier wrote:

> 
> IMHO, the comments in /etc/ldap.conf could be a bit more explicit on
> the 'on' value:
IMNSHO most docmentation on LDAP is laughable, and perhaps one of the
main reasons Active Directory has become so much more popular.  Say what
you want about MS, but it does seem to me, that at least on the syadmin
and user side that their documentation is usually quite good, at least
since Windows 2000.

RH in particular has some really poor docs--as mentioned earlier, they
didn't feel it necessary to mention that they'd broken SSL and
TLS. 

As the authors of the excellent ldap for rocket scientists page say.

"The bad news is that IOHO never has so much been written so
incomprehensibly about a single topic with the possible exceptions of
BIND."  

(That page is at http://www.zytrax.com/books/ldap/)

Might as well spam my own page while at it.  :)

http://home.roadrunner.com/~computertaijutsu/ldap.html

Grouchily yours (and REALLY sick of the low quality of so much Linux
documentation)

-- 
Scott Robbins
PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6

Gunn: Fair Cordelia. You still savin' my life?
Cordelia: Every minute.
Gunn: How's that workin' out?
Cordelia: You're alive aren't you?