[clug] LDAP over SSL/TLS not working
Kim Holburn
kim.holburn at anu.edu.au
Sat Oct 1 22:11:09 GMT 2005
On 2005 Oct 02 at 1:11 AM, Jade Barton wrote:
> Hi all,
>
> I am having some dramas with LDAP over SSL/TLS for authentication
> purposes. I have got the following to work:
> - Authentication without SSL/TLS (from FC4 box to server). Users are
> able to log on in insecure mode.
> - SSL/TLS or insecure mode works when accessing the address book from
> e-mail clients (ie. ou=AddressBook,dc=domain,dc=net). This works with
> or without authentication.
>
> The bit I haven't got to work is as soon as I enable the "Use TLS to
> encrypt connections" box in the FC4 authentication dialogue it won't
> authenticate. One of the things that is confusing me is that FC4 has
> 2 ldap.conf files on the client (/etc/ldap.conf &
> /etc/openldap/ldap.conf shown below). The former appears to be the one
> requiring change(?). I have tried putting "port 636" into the
> ldap.conf client file but it didn't seem to help. All I had to do to
> get the e-mail clients to connect via SSL/TLS was change their port
> number to 636 and accept the cert when prompted. I have placed the
> server certificate in the /etc/openldap/cacerts folder on the client.
>
> Google and a copy of "LDAP System Admin. - O'Reilly" aren't helping me
> much. Mainly due to the fact that I am still learning and no doubt
> have a few knowledge holes. Any help would be most appreciated,
> especially good references. Also, feel free to pick on any other
> parts of the slapd.conf file you notice in error. Apologies is some
> of this lacks sense, it's late and my head hurts.
>
> Copy of slapd.conf on server... (comments and stuff removed)
> -----------------BEGIN-----------------
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> ##Include for NIS support
> include /etc/openldap/schema/nis.schema
> loglevel 296
> pidfile /var/run/slapd.pid
> argsfile /var/run/slapd.args
> ##TLS options
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCertificateFile /usr/share/ssl/certs/XXXX_slapdcert.pem
> TLSCertificateKeyFile /usr/share/ssl/private/XXXX_slapdkey.pem
I assume these are a real cert/key pair, not example ones.
> password-hash {SSHA}
> # bdb database definitions
> database bdb
> suffix "dc=domain,dc=net"
> rootdn "cn=Manager,dc=domain,dc=net"
> rootpw {SSHA}removed
> directory /var/lib/ldap/xxxx
> mode 0600
> ##Indexes to maintain
> index objectClass,uid,uidNumber,gidNumber eq
> index cn eq
> ##ACL's
> access to attrs=userPassword
> by self write
> by * auth
> access to *
> by * read
> ######################################################################
> #
> -----------------END-----------------
> Copy of lapd.conf on client... (comments and stuff removed)
> -----------------BEGIN-----------------
> [root at xxxx ~]# more /etc/ldap.conf | grep -v ^# | grep .
> host 192.168.111.1
> base dc=domain,dc=net
> ssl start_tls
> tls_cacertdir /etc/openldap/cacerts
I think you need a line here saying something like:
tls_certfile /usr/share/ssl/certs/XXXX_slapdcert.pem
> pam_password md5
> -----------------END-----------------
> -----------------BEGIN-----------------
> [root at xxxx ~]# more /etc/openldap/ldap.conf | grep -v ^# | grep .
> HOST 192.168.111.1
> BASE dc=domain,dc=net
> TLS_CACERTDIR /etc/openldap/cacerts
tls_certfile /usr/share/ssl/certs/XXXX_slapdcert.pem
> -----------------END-----------------
>
>
> --
> Jade
> -- Of all the manifestations of power,
> restraint impresses men the most --
> Thucydides
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>
--
Kim Holburn
Network and Security Manager, National ICT Australia Ltd.
Ph: +61 2 61258620 M: +61 417820641 F: +61 2 6230 6121 aim://kimholburn
Email: kim.holburn at nicta.com.au - PGP Public Key on request
callto://kholburn
Cacert Root Cert: http://www.cacert.org/cacert.crt
Aust. Spam Act: To stop receiving mail from me: reply and let me know.
Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/
datefmt.htm
Democracy imposed from without is the severest form of tyranny.
-- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the linux
mailing list