NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Using LDAP for auth against LINUX



Uwe Lienig wrote:
Mike Bowie wrote:
I'd suggesting adding '-ZZ' to the ldapsearch parameters to force it to
use TLS... I'm guessing it will fail because it doesn't like the remote
cert.
Thanks for the hint. Yes, ldapsearch failed with

  ldap_start_tls: Connect error (-11)

As I understand that leaves network communication unencrypted. Not what I
wanted, but at the moment I leave that for the next step

Try adding "TLS_REQCERT never" to your ldap.conf (or other config file)
file and see if that helps.  I've not used LDAP with PAM etc, but I do
use that with other mechanisms.

HTH,

Mike.

After removing the option

  ssl start_tls

from the pam_ldap.conf file getent(1) found the user tst. Here is the log
snippet of the LDAP server:

Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 fd=54 ACCEPT from \
IP=141.56.22.4:61808 (IP=0.0.0.0:389)
Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=0 BIND dn="" method=128
Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=0 RESULT tag=97 err=0 text=
Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=1 SRCH \
base="ou=people,dc=some,dc=domain,dc=org" scope=1 deref=0 \
filter="(&(objectClass=posixAccount)(uid=tst))"
Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=1 SRCH attr=uid \
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos \
description objectClass
Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=1 SEARCH RESULT tag=101 \
err=0 nentries=1 text=
Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 fd=54 closed (connection lost)

After that I had to fiddle with the PAM system, but incorporating the hints from
wiki.netbsd.de regarding LDAP I can login.

Now, since user passwords are transferred clear text over the wire I have to get
TLS working. Are there any gotchas in setting up TLS? Would it be better to use
SSL instead and force the server to listen to the LDAP SSL port?

Thanks.


IMHO TLS is a much better option than SSL. I'm still guessing that the LDAP client doesn't like the TLS cert, or the server is requiring a cert from the client. (It's been a while since I've played with our LDAP servers.)

The server may need something like "TLSVerifyClient never" to accept unverified clients, or the client isn't liking the server's cert, in which case the ldap.conf option I posted earlier should do it. Google should be able to tell you which is failing based on the ldapsearch return code.

HTH,

Mike.




Home | Main Index | Thread Index | Old Index