[clug] LDAP over SSL/TLS not working

Kim Holburn kim.holburn at anu.edu.au
Sat Oct 1 22:11:09 GMT 2005



On 2005 Oct 02 at 1:11 AM, Jade Barton wrote:
> Hi all,
>
> I am having some dramas with LDAP over SSL/TLS for authentication
> purposes.  I have got the following to work:
> - Authentication without SSL/TLS (from FC4 box to server).  Users are
> able to log on in insecure mode.
> - SSL/TLS or insecure mode works when accessing the address book from
> e-mail clients (ie. ou=AddressBook,dc=domain,dc=net). This works with
> or without authentication.
>
> The bit I haven't got to work is as soon as I enable the "Use TLS to
> encrypt connections" box in the FC4 authentication dialogue it won't
> authenticate.  One of the things that is confusing me is that FC4 has
> 2 ldap.conf files on the client (/etc/ldap.conf &
> /etc/openldap/ldap.conf shown below). The former appears to be the one
> requiring change(?).  I have tried putting "port 636" into the
> ldap.conf client file but it didn't seem to help.  All I had to do to
> get the e-mail clients to connect via SSL/TLS was change their port
> number to 636 and accept the cert when prompted.  I have placed the
> server certificate in the /etc/openldap/cacerts folder on the client.
>
> Google and a copy of "LDAP System Admin. - O'Reilly" aren't helping me
> much.  Mainly due to the fact that I am still learning and no doubt
> have a few knowledge holes.  Any help would be most appreciated,
> especially good references.  Also, feel free to pick on any other
> parts of the slapd.conf file you notice in error.  Apologies is some
> of this lacks sense, it's late and my head hurts.
>
> Copy of slapd.conf on server... (comments and stuff removed)
> -----------------BEGIN-----------------
> include            /etc/openldap/schema/core.schema
> include            /etc/openldap/schema/cosine.schema
> include            /etc/openldap/schema/inetorgperson.schema
> ##Include for NIS support
> include            /etc/openldap/schema/nis.schema
> loglevel        296
> pidfile            /var/run/slapd.pid
> argsfile        /var/run/slapd.args
> ##TLS options
> TLSCipherSuite        HIGH:MEDIUM:+SSLv2
> TLSCertificateFile    /usr/share/ssl/certs/XXXX_slapdcert.pem
> TLSCertificateKeyFile    /usr/share/ssl/private/XXXX_slapdkey.pem

I assume these are a real cert/key pair, not example ones.

> password-hash    {SSHA}
> # bdb database definitions
> database        bdb
> suffix            "dc=domain,dc=net"
> rootdn            "cn=Manager,dc=domain,dc=net"
> rootpw            {SSHA}removed
> directory        /var/lib/ldap/xxxx
> mode            0600
> ##Indexes to maintain
> index objectClass,uid,uidNumber,gidNumber    eq
> index cn                    eq
> ##ACL's
> access to attrs=userPassword
>     by self write
>     by * auth
> access to *
>         by * read
> ###################################################################### 
> #
> -----------------END-----------------
> Copy of lapd.conf on client... (comments and stuff removed)
> -----------------BEGIN-----------------
> [root at xxxx ~]# more /etc/ldap.conf | grep -v ^# | grep .
> host 192.168.111.1
> base dc=domain,dc=net
> ssl start_tls
> tls_cacertdir /etc/openldap/cacerts

I think you need a line here saying something like:
tls_certfile /usr/share/ssl/certs/XXXX_slapdcert.pem

> pam_password md5
> -----------------END-----------------
> -----------------BEGIN-----------------
> [root at xxxx ~]# more /etc/openldap/ldap.conf | grep -v ^# | grep .
> HOST 192.168.111.1
> BASE dc=domain,dc=net
> TLS_CACERTDIR /etc/openldap/cacerts

tls_certfile /usr/share/ssl/certs/XXXX_slapdcert.pem

> -----------------END-----------------
>
>
> --
> Jade
>   --  Of all the manifestations of power,
>             restraint impresses men the most --
>                                       Thucydides
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>

-- 
Kim Holburn
Network and Security Manager, National ICT Australia Ltd.
Ph: +61 2 61258620 M: +61 417820641  F: +61 2 6230 6121 aim://kimholburn
Email: kim.holburn at nicta.com.au  - PGP Public Key on request   
callto://kholburn
Cacert Root Cert: http://www.cacert.org/cacert.crt
Aust. Spam Act: To stop receiving mail from me: reply and let me know.

Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/ 
datefmt.htm
Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961




More information about the linux mailing list