Re: Using LDAP for auth against LINUX

To: "Uwe Lienig" <uwe.lienig%fif.mw.htw-dresden.de@localhost>
Subject: Re: Using LDAP for auth against LINUX
From: "matthew sporleder" <msporleder%gmail.com@localhost>
Date: Wed, 7 Jan 2009 11:25:08 -0500

On Wed, Jan 7, 2009 at 11:15 AM, Uwe Lienig
<uwe.lienig%fif.mw.htw-dresden.de@localhost> wrote:
> Mike Bowie wrote:
>>
>> I'd suggesting adding '-ZZ' to the ldapsearch parameters to force it to
>> use TLS... I'm guessing it will fail because it doesn't like the remote
>> cert.
> Thanks for the hint. Yes, ldapsearch failed with
>
>  ldap_start_tls: Connect error (-11)
>
> As I understand that leaves network communication unencrypted. Not what I
> wanted, but at the moment I leave that for the next step
>
>>
>> Try adding "TLS_REQCERT never" to your ldap.conf (or other config file)
>> file and see if that helps.  I've not used LDAP with PAM etc, but I do
>> use that with other mechanisms.
>>
>> HTH,
>>
>> Mike.
>>
> After removing the option
>
>  ssl start_tls
>
> from the pam_ldap.conf file getent(1) found the user tst. Here is the log
> snippet of the LDAP server:
>
> Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 fd=54 ACCEPT from \
> IP=141.56.22.4:61808 (IP=0.0.0.0:389)
> Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=0 BIND dn="" method=128
> Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=0 RESULT tag=97 err=0 text=
> Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=1 SRCH \
> base="ou=people,dc=some,dc=domain,dc=org" scope=1 deref=0 \
> filter="(&(objectClass=posixAccount)(uid=tst))"
> Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=1 SRCH attr=uid \
> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos \
> description objectClass
> Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=1 SEARCH RESULT tag=101 \
> err=0 nentries=1 text=
> Jan  7 09:47:23 ldapsrv slapd[4614]: conn=11611 fd=54 closed (connection lost)
>
> After that I had to fiddle with the PAM system, but incorporating the hints 
> from
> wiki.netbsd.de regarding LDAP I can login.
>
> Now, since user passwords are transferred clear text over the wire I have to 
> get
> TLS working. Are there any gotchas in setting up TLS? Would it be better to 
> use
> SSL instead and force the server to listen to the LDAP SSL port?
>

You need to get ldapsearch working with starttls or ssl before trying
with nss.  The ldaps:// (port 636) method is the most common, so it
might be easier to get going, but don't give up on starttls if you
have the time.  :)

http://www.openldap.org/faq/data/cache/185.html

References:
- Using LDAP for auth against LINUX
  - From: Uwe Lienig
- Re: Using LDAP for auth against LINUX
  - From: matthew sporleder
- Re: Using LDAP for auth against LINUX
  - From: Johnny Billquist
- Re: Using LDAP for auth against LINUX
  - From: Uwe Lienig
- Re: Using LDAP for auth against LINUX
  - From: Mike Bowie
- Re: Using LDAP for auth against LINUX
  - From: Uwe Lienig

Prev by Date: Re: Using LDAP for auth against LINUX
Next by Date: Re: Using LDAP for auth against LINUX
Previous by Thread: Re: Using LDAP for auth against LINUX
Next by Thread: Re: Using LDAP for auth against LINUX
Indexes:

Home | Main Index | Thread Index | Old Index