Re: Using LDAP for auth against LINUX

To: NetBSD Users <netbsd-users%netbsd.org@localhost>
Subject: Re: Using LDAP for auth against LINUX
From: Uwe Lienig <uwe.lienig%fif.mw.htw-dresden.de@localhost>
Date: Tue, 06 Jan 2009 18:04:19 +0100

Johnny Billquist wrote:
>>
>> Watch the logs on the ldap server when you use getent to see if it is
>> actually performing the search, or even trying to connect.
Ok, got some new bits with this issue.
In the log of the LDAP server there are some messages that prove PAM is using
LDAP and tries to use TLS

-------- snip ----------
Jan  6 17:36:58 srv slapd[4614]: conn=10832 fd=40 ACCEPT from \
IP=ip.addr.of.host:62361 (IP=0.0.0.0:389)
Jan  6 17:36:58 srv slapd[4614]: conn=10832 op=0 STARTTLS
Jan  6 17:36:58 srv slapd[4614]: conn=10832 op=0 RESULT oid= err=0 text=
Jan  6 17:36:58 srv slapd[4614]: conn=10832 fd=40 closed \
(TLS negotiation failure)
-------- snip ----------

What wonders me is, that using ldapsearch no STARTTLS message is logged

When I use a simple search

$ > ldapsearch 'uid=tst'

I get the correct answer. In the LDAP server log I can see

-------- snip ----------
Jan  6 17:46:05 srv slapd[4614]: conn=10842 fd=40 ACCEPT from \
IP=ip.addr.of.host:62355 (IP=0.0.0.0:389)
Jan  6 17:46:05 srv slapd[4614]: conn=10842 op=0 BIND dn="" method=128
Jan  6 17:46:05 srv slapd[4614]: conn=10842 op=0 RESULT tag=97 err=0 text=
Jan  6 17:46:05 srv slapd[4614]: conn=10842 op=1 SRCH \
base="dc=some,dc=domain,dc=org" scope=2 deref=0 filter="(uid=tst)"
Jan  6 17:46:05 srv slapd[4614]: conn=10842 op=1 SEARCH RESULT tag=101 err=0 \
nentries=1 text=
Jan  6 17:46:05 srv slapd[4614]: conn=10842 op=2 UNBIND
-------- snip ----------

What makes me curious is that there is no STARTTLS entry although TLS_CACERT is
defined in the LDAP conf.

>>
>> Also- what happens when you switch ldap to be before nis?

> I didn't think that NetBSD version 3 supported ldap in nsswitch.conf.
> But maybe I remember wrong?
> 
>     Johnny
So, the LDAP log says: NetBSD version 3 is doing LDAP.

I think I've to get the TLS thing right. But the man page is somewhat cryptic.
In /usr/pkg/etc/pam_ldap.conf I have set tls_cacertfile to the serverkey

tls_cacertfile /etc/openssl/certs/serverkey.pem

But that seems to be the wrong - not sure, but it's not working.

Do I have to import the key somehow? What about the LDAP root password? But I
think, that this isn't necessary for fetching user records.

Thanks.

-- 


Uwe Lienig
----------
fon: (+49 351) 462 2780
fax: (+49 351) 462 3476
mailto:uwe.lienig%fif.mw.htw-dresden.de@localhost

Forschungsinstitut Fahrzeugtechnik
<http://www.fif.mw.htw-dresden.de>
parcels: Gutzkowstr. 22, 01069 Dresden
letters: PF 12 07 01,    01008 Dresden

Hochschule für Technik und Wirtschaft Dresden (FH)
Friedrich-List-Platz 1, 01069 Dresden

Follow-Ups:
- Re: Using LDAP for auth against LINUX
  - From: Mike Bowie

References:
- Using LDAP for auth against LINUX
  - From: Uwe Lienig
- Re: Using LDAP for auth against LINUX
  - From: matthew sporleder
- Re: Using LDAP for auth against LINUX
  - From: Johnny Billquist

Prev by Date: Re: Using LDAP for auth against LINUX
Next by Date: Re: Using LDAP for auth against LINUX
Previous by Thread: Re: Using LDAP for auth against LINUX
Next by Thread: Re: Using LDAP for auth against LINUX
Indexes:

Home | Main Index | Thread Index | Old Index