Re: Using LDAP for auth against LINUX

Subject: Re: Using LDAP for auth against LINUX
From: Uwe Lienig <uwe.lienig%fif.mw.htw-dresden.de@localhost>
Date: Wed, 07 Jan 2009 17:15:52 +0100

Mike Bowie wrote:
> 
> I'd suggesting adding '-ZZ' to the ldapsearch parameters to force it to
> use TLS... I'm guessing it will fail because it doesn't like the remote
> cert.
Thanks for the hint. Yes, ldapsearch failed with

  ldap_start_tls: Connect error (-11)

As I understand that leaves network communication unencrypted. Not what I
wanted, but at the moment I leave that for the next step

> 
> Try adding "TLS_REQCERT never" to your ldap.conf (or other config file)
> file and see if that helps.  I've not used LDAP with PAM etc, but I do
> use that with other mechanisms.
> 
> HTH,
> 
> Mike.
> 
After removing the option

  ssl start_tls

from the pam_ldap.conf file getent(1) found the user tst. Here is the log
snippet of the LDAP server:

Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 fd=54 ACCEPT from \
IP=141.56.22.4:61808 (IP=0.0.0.0:389)
Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=0 BIND dn="" method=128
Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=0 RESULT tag=97 err=0 text=
Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=1 SRCH \
base="ou=people,dc=some,dc=domain,dc=org" scope=1 deref=0 \
filter="(&(objectClass=posixAccount)(uid=tst))"
Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=1 SRCH attr=uid \
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos \
description objectClass
Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=1 SEARCH RESULT tag=101 \
err=0 nentries=1 text=
Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 fd=54 closed (connection lost)

After that I had to fiddle with the PAM system, but incorporating the hints from
wiki.netbsd.de regarding LDAP I can login.

Now, since user passwords are transferred clear text over the wire I have to get
TLS working. Are there any gotchas in setting up TLS? Would it be better to use
SSL instead and force the server to listen to the LDAP SSL port?

Thanks.

-- 


Uwe Lienig
----------
fon: (+49 351) 462 2780
fax: (+49 351) 462 3476
mailto:uwe.lienig%fif.mw.htw-dresden.de@localhost

Forschungsinstitut Fahrzeugtechnik
<http://www.fif.mw.htw-dresden.de>
parcels: Gutzkowstr. 22, 01069 Dresden
letters: PF 12 07 01,    01008 Dresden

Hochschule für Technik und Wirtschaft Dresden (FH)
Friedrich-List-Platz 1, 01069 Dresden

Follow-Ups:
- Re: Using LDAP for auth against LINUX
  - From: Mike Bowie
- Re: Using LDAP for auth against LINUX
  - From: matthew sporleder

References:
- Using LDAP for auth against LINUX
  - From: Uwe Lienig
- Re: Using LDAP for auth against LINUX
  - From: matthew sporleder
- Re: Using LDAP for auth against LINUX
  - From: Johnny Billquist
- Re: Using LDAP for auth against LINUX
  - From: Uwe Lienig
- Re: Using LDAP for auth against LINUX
  - From: Mike Bowie

Prev by Date: Re: adding fwip0 to bridge0
Next by Date: Re: Using LDAP for auth against LINUX
Previous by Thread: Re: Using LDAP for auth against LINUX
Next by Thread: Re: Using LDAP for auth against LINUX
Indexes:

Home | Main Index | Thread Index | Old Index