Patrick Begou
2018-Jun-14 08:01 UTC
[CentOS] CentOS7: Setting up ldap over TLS in kickstart file
Hi, I'm facing a problem with setting up LDAP+TLS client authentication in a kickstart script on CentOS7 for several days. Setting up manualy the config with system-config-authentication works but I need to automate this in kickstart for deploying cluster nodes. This show that the server side is running fine. At this time the message is #systemctl status sssd |.... sssd[be[default]][2732]: Could not start TLS encryption. error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate)| In my kickstart file I use: auth? --useshadow --enableldaptls --enablecache? --passalgo=sha512 --enableldap --enableldapauth --ldapserver="ldaps://my.ldap.server.fr" --ldapbasedn=dc=my,dc=base,dc=dn Then in a post install script I download the server and ca certificates and stops nslcd that I do not use: echo "TLS_REQCERT allow">>/etc/openldap/ldap.conf cd /etc/openldap/cacerts/ && wget http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/ca-bundle.crt && ln -s ca-bundle.crt $(openssl x509 -hash -in ca-bundle.crt -noout).0 cd /etc/openldap/certs/ && wget http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/server.crt cd / systemctl disable nslcd I'm unable to see what system-config-authentication is doing more in it's setup. Thanks for your help Patrick |||| || -- ==================================================================| Equipe M.O.S.T. | | | Patrick BEGOU | mailto:Patrick.Begou at grenoble-inp.fr | | LEGI | | | BP 53 X | Tel 04 76 82 51 35 | | 38041 GRENOBLE CEDEX | Fax 04 76 82 52 71 | ===================================================================
Paul Heinlein
2018-Jun-14 15:54 UTC
[CentOS] CentOS7: Setting up ldap over TLS in kickstart file
On Thu, 14 Jun 2018, Patrick Begou wrote:> Hi, > > I'm facing a problem with setting up LDAP+TLS client authentication in a > kickstart script on CentOS7 for several days. > > Setting up manualy the config with system-config-authentication works but I > need to automate this in kickstart for deploying cluster nodes. > This show that the server side is running fine. > > At this time the message is > > #systemctl status sssd > > | .... > sssd[be[default]][2732]: Could not start TLS encryption. error:14090086:SSL > routines:ssl3_get_server_certificate:certificate verify failed (self signed > certificate)| > > In my kickstart file I use: > auth? --useshadow --enableldaptls --enablecache? --passalgo=sha512 > --enableldap --enableldapauth --ldapserver="ldaps://my.ldap.server.fr" > --ldapbasedn=dc=my,dc=base,dc=dn > > Then in a post install script I download the server and ca certificates and > stops nslcd that I do not use: > > echo "TLS_REQCERT allow">>/etc/openldap/ldap.conf > cd /etc/openldap/cacerts/ && wget > http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/ca-bundle.crt && ln -s > ca-bundle.crt $(openssl x509 -hash -in ca-bundle.crt -noout).0 > cd /etc/openldap/certs/ && wget > http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/server.crt > cd / > systemctl disable nslcd > > I'm unable to see what system-config-authentication is doing more in it's > setup. > > Thanks for your helpI'm a bit stumped. My recipe was similar: authconfig --enableshadow --passalgo=sha512 --enablefingerprint --enableldap --enableldapauth --ldapserver=ldap.ourcompany.com --ldapbasedn=dc=ourcompany,dc=com --enablecache --enableldaptls then, in %post: curl http://www.ourcompany.com/ca/ca.crt \ -s -o /etc/openldap/cacerts/ca.ourcompany.com.pem /usr/sbin/cacertdir_rehash /etc/openldap/cacerts And that did the trick. The main difference is that you install a bundle of certifcates rather than a single one. There are two issues: 1. Hashing a certificate bundle does no good as far as I know. Hashes only work on a single cert, right? 2. Unless told otherwise, openssl looks in only one place for a cert bundle: ${OPENSSLDIR}/cert.pem (where the value of OPENSSLDIR can be discovered by running "openssl version -d"). You might take a peek at the ldap_tls_cacertdir discussion in the sssd-ldap(5) man page, which specifies that certificates should be in individual files. My suggestion would be to isolate the CA certificate used to sign your LDAP server certs, install that as a separate file in ldap_tls_cacertdir, and run cacertdir_rehash to get the hash correct. -- Paul Heinlein heinlein at madboa.com 45?38' N, 122?6' W
Gordon Messmer
2018-Jun-14 23:21 UTC
[CentOS] CentOS7: Setting up ldap over TLS in kickstart file
On 06/14/2018 01:01 AM, Patrick Begou wrote:> In my kickstart file I use: > auth? --useshadow --enableldaptls --enablecache? --passalgo=sha512 > --enableldap --enableldapauth --ldapserver="ldaps://my.ldap.server.fr" > --ldapbasedn=dc=my,dc=base,dc=dn > > Then in a post install script I download the server and ca > certificates and stops nslcd that I do not use:You probably can avoid setting up nslcd in the first place: auth? --useshadow --passalgo=sha512 --enablesssd --enablesssdauth --enableldap --ldapserver="ldaps://my.ldap.server.fr" --ldapbasedn=dc=my,dc=base,dc=dn> echo "TLS_REQCERT allow">>/etc/openldap/ldap.conf > cd /etc/openldap/cacerts/ && wget > http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/ca-bundle.crt && ln -s > ca-bundle.crt $(openssl x509 -hash -in ca-bundle.crt -noout).0 > cd /etc/openldap/certs/ && wget > http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/server.crtSee the man page for update-ca-trust. I *think* you need to do something more like: cd /etc/pki/ca-trust/source/anchors/ wget http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/ca-bundle.crt update-ca-trust extract ...you shouldn't have to do anything with the server's cert specifically.
Patrick Begou
2018-Jun-15 13:12 UTC
[CentOS] CentOS7: Setting up ldap over TLS in kickstart file
Thanks Paul and Gordon for your reply. I'm not sure, but I think the problem is setting up ldap+TLS while the certificates are not uploaded on the server. So I decide to setup LDAP in a "post" section only, adding the "--enablesssd --enablesssdauth" options suggested by Gordon too. in the kickstart file: *auth? --useshadow --passalgo=sha512 * in a post section: #? LDAP setup *authconfig --enableldap --enableldapauth --enablesssd --enablesssdauth --ldapserver="ldaps://my.ldap.server" --ldapbasedn=dc=my,dc=local,dc=dn --update** *# Certificat Upload *cd /etc/openldap/cacerts/ && wget http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/ca-bundle.crt** *# server public key upload *cd /etc/openldap/cacerts/ && wget http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/server.crt** *cd / #? TLS setup *authconfig --enableldaptls --update** * And this works fine. Certificat bundle seams to be accepted (I've also tryed to split the file, no change) and the last command builds the hashes of the certificates too. My last problem is that ?firstboot --disabled don't seams to work in my config but... Thanks for your helpfull suggestions about sssd and certificates. Patrick -- ==================================================================| Equipe M.O.S.T. | | | Patrick BEGOU | mailto:Patrick.Begou at grenoble-inp.fr | | LEGI | | | BP 53 X | Tel 04 76 82 51 35 | | 38041 GRENOBLE CEDEX | Fax 04 76 82 52 71 | ===================================================================