[CentOS] LDAP authentication on a remote server (via ldaps://) [SOLVED]

Mathieu Baudier mbaudier at argeo.org
Wed Oct 6 12:35:14 EDT 2010


> Here are the changes I'd review:
>
>  1. After installing the CA cert, did you create a hash link? E.g.,
>
>     /usr/sbin/cacertdir_rehash /etc/openldap/cacerts
>
>  2. Make sure you know the difference between /etc/ldap.conf and
>     /etc/openldap/ldap.conf. The former is used by nss_ldap, the
>     latter by openldap clients.
>
>  3. Does /etc/ldap.conf have all the correct TLS entries, e.g.,
>
>     ssl start_tls
>     tls_checkpeer yes
>     tls_cacertdir /etc/openldap/cacerts
>
>     Additionally, I've had trouble using the "uri" directive
>     in /etc/ldap.conf, esp. with encrypted connections. The
>     "host" and "port" directives have worked better for me.
>
>  4. Does /etc/pam.d/system-auth have pam_ldap.so entries for
>     auth, account, password, and session?
>
>  5. Are you running nscd? (I've found it indispensable when working
>     with network auth.)
>
>  6. Review the changes to /etc/nsswitch.conf to make sure that
>     the passwd, shadow, and group entries all query ldap.

Thanks a lot for this check-list (I recommend it for others in the future).

I had already checked most of the points, but I still played around
with your ideas, without success

But, this remark:

> I've never done ldaps to port 636, only TLS to port 389, so some of my
> comments may be slightly off-base in your situtation.

made me think of checking what should be the difference between a
START_TLS on a plain ldap port and ldaps on the ssl port

In /etc/ldap.conf:

for ldap + START_TLS this is indeed
>     ssl start_tls

but for ldaps (my case) this should be:
ssl on

Changing the value of 'ssl' to 'on' solved my problem!
(and this explains why my ldapsearch queries were working: as you
pointed out, /etc/ldap.conf is for the configuration of nss_ldap)

IMHO, the comments in /etc/ldap.conf could be a bit more explicit on
the 'on' value:

...
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
...

Thanks a lot for your help!


More information about the CentOS mailing list