[clug] LDAP over SSL/TLS not working

Jade Barton jade.barton at gmail.com
Sat Oct 1 15:11:09 GMT 2005 

Hi all,

I am having some dramas with LDAP over SSL/TLS for authentication
purposes.  I have got the following to work:
- Authentication without SSL/TLS (from FC4 box to server).  Users are
able to log on in insecure mode.
- SSL/TLS or insecure mode works when accessing the address book from
e-mail clients (ie. ou=AddressBook,dc=domain,dc=net). This works with
or without authentication.

The bit I haven't got to work is as soon as I enable the "Use TLS to
encrypt connections" box in the FC4 authentication dialogue it won't
authenticate.  One of the things that is confusing me is that FC4 has
2 ldap.conf files on the client (/etc/ldap.conf &
/etc/openldap/ldap.conf shown below). The former appears to be the one
requiring change(?).  I have tried putting "port 636" into the
ldap.conf client file but it didn't seem to help.  All I had to do to
get the e-mail clients to connect via SSL/TLS was change their port
number to 636 and accept the cert when prompted.  I have placed the
server certificate in the /etc/openldap/cacerts folder on the client.

Google and a copy of "LDAP System Admin. - O'Reilly" aren't helping me
much.  Mainly due to the fact that I am still learning and no doubt
have a few knowledge holes.  Any help would be most appreciated,
especially good references.  Also, feel free to pick on any other
parts of the slapd.conf file you notice in error.  Apologies is some
of this lacks sense, it's late and my head hurts.

Copy of slapd.conf on server... (comments and stuff removed)
-----------------BEGIN-----------------
include			/etc/openldap/schema/core.schema
include			/etc/openldap/schema/cosine.schema
include			/etc/openldap/schema/inetorgperson.schema
##Include for NIS support
include			/etc/openldap/schema/nis.schema
loglevel		296
pidfile			/var/run/slapd.pid
argsfile		/var/run/slapd.args
##TLS options
TLSCipherSuite		HIGH:MEDIUM:+SSLv2
TLSCertificateFile	/usr/share/ssl/certs/XXXX_slapdcert.pem
TLSCertificateKeyFile	/usr/share/ssl/private/XXXX_slapdkey.pem
password-hash	{SSHA}
# bdb database definitions
database		bdb
suffix			"dc=domain,dc=net"
rootdn			"cn=Manager,dc=domain,dc=net"
rootpw			{SSHA}removed
directory		/var/lib/ldap/xxxx
mode			0600
##Indexes to maintain
index objectClass,uid,uidNumber,gidNumber	eq
index cn					eq
##ACL's
access to attrs=userPassword
	by self write
	by * auth
access to *
        by * read
#######################################################################
-----------------END-----------------
Copy of lapd.conf on client... (comments and stuff removed)
-----------------BEGIN-----------------
[root at xxxx ~]# more /etc/ldap.conf | grep -v ^# | grep .
host 192.168.111.1
base dc=domain,dc=net
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password md5
-----------------END-----------------
-----------------BEGIN-----------------
[root at xxxx ~]# more /etc/openldap/ldap.conf | grep -v ^# | grep .
HOST 192.168.111.1
BASE dc=domain,dc=net
TLS_CACERTDIR /etc/openldap/cacerts
-----------------END-----------------


--
Jade
  --  Of all the manifestations of power,
            restraint impresses men the most --
                                      Thucydides

More information about the linux mailing list