[clug] LDAP over SSL/TLS not working

Robert Edwards bob at cs.anu.edu.au
Tue Oct 4 00:50:11 GMT 2005 

Only 3? You forgot /etc/ldap/slapd.conf and /etc/default/slapd.conf!

As for /etc/libnss_ldap and /etc/pam_ldap.conf, one of these
(/etc/libnss_ldap.conf) is for using LDAP as a Naming Service
(eg. username -> uid etc.) and the other is for using LDAP as
an Authentication Service (eg. is user X who they say they are?).

You may want to use LDAP as a naming service and something else
for authentication, or (as we do on some systems here), use one
LDAP server for naming and a different one altogther (with a
different baseDN) for authentication.

Cheers,

Bob Edwards.

Kim Holburn wrote:
> On debian systems there are 3 ldap conf files: /etc/ldap/ldap.conf, / 
> etc/libnss_ldap.conf and /etc/pam_ldap.conf.  They are all slightly  
> different and have overlapping sets of configuration directives.  The  
> names are indicative of what they are for.  I guess /etc/ldap/ ldap.conf 
> is equivalent to RH /etc/openldap/ldap.conf
> 
> On 2005 Oct 03 at 9:01 AM, Jade Barton wrote:
> 
>> On 03/10/05, Tomasz Ciolek <tmc at dreamcraft.com.au> wrote:
>>
>>> Jade
>>>
>>> Are you sure that both .conf files are used? If so, woudl it not be
>>> simpler to move everyhting into the one fle?
>>>
>>
>> I agree completely.  I'm still not sure why there are two files.  If I
>> take the "ssl start_tls" out of /etc/ldap.conf and put it in
>> /etc/openldap/ldap.conf it fails.  And if I take the "TLS_REQCERT
>> never" out of /etc/openldap/ldap.conf and put it in /etc/ldap.conf it
>> also fails??  The documentation that Kim referred me to only mentions
>> the /etc/openldap/ldap.conf file but my system definately fails if I
>> try to move all the data out of the other file.
>>
>>
>>>
>>> On Mon, Oct 03, 2005 at 12:20:16AM +1000, Jade Barton wrote:
>>>
>>>> add it to.  The system added "ssl start_tls" to the /etc/ldap.conf
>>>> file but the "TLS_REQCERT never" had to be added to
>>>> /etc/openldap/ldap.conf file (??).  I'll have to read more on  distro's
>>>> specifics as the O'Reilly book mentions nothing of this.  "never"  was
>>>> the only option that worked too.
>>>>
>>>
>>> Ahh the CA configs for SSL certs
>>>
>>> I have a wholly working Certificate Auhtority setup for my OpenSSL
>>>
>>> The Big one with that is that you have to generate and self sign a CA
>>> certificate. That ertificate MAY have it's key encrypted.
>>>
>>> The second step is to generate keys and certificate signing  requests 
>>> for
>>> each system that uses those and then sign them with you CA cert.
>>>
>>> Is that what you did?
>>>
>>
>> That's what I think I did, which often differs from what I actually
>> did ;)  Here are some of the commands I ran.
>>
>> cd /data/myca
>> /usr/share/ssl/misc/CA.pl -newca
>> openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
>> <entered all the details for my new key/cert here>
>> /usr/share/ssl/misc/CA.pl -sign
>> <I then selected the key I wanted to sign, the only one in the
>> directory and followed the prompts>
>>
>> I then moved all three files into a seperate folder and pointed
>> slapd.conf at it.  I also put the cert on all the clients and pointed
>> ldap.conf to that (TLS_CERT).  I also tried putting the "cacert.pem"
>> file on the client and pointing TLS_CACERT at it with no joy.
>>
>> As I said earlier the O'Reilly book I was working out of implies this
>> is not required but I got the instructions from
>> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#4.0
>>
>>
>>>
>>> Tomasz
>>>
>>> -- 
>>> Tomasz M. Ciolek
>>> ********************************************************************* 
>>> **********
>>>  tmc at dreamcraft dot com dot au
>>> ********************************************************************* 
>>> **********
>>>    GPG Key ID:          0x41C4C2F0
>>>    GPG Key Fingerprint: 3883 B308 8256 2246 D3ED  A1FF 3A1D 0EAD  
>>> 41C4 C2F0
>>>    Key available on www.pgp.net
>>> ********************************************************************* 
>>> **********
>>>
>>>
>> -- 
>> linux mailing list
>> linux at lists.samba.org
>> https://lists.samba.org/mailman/listinfo/linux
>>
>

More information about the linux mailing list