[CentOS] LDAP authentication on a remote server (via ldaps://)

Craig White craigwhite at azapple.com
Thu Oct 7 02:35:32 UTC 2010


On Wed, 2010-10-06 at 08:32 -0700, Paul Heinlein wrote:
> On Wed, 6 Oct 2010, Mathieu Baudier wrote:
> 
> > Now, I have a few servers in our local office and I would like them to
> > authenticate from the remote LDAP server using encryption via
> > ldaps://.
> > (at this stage, without using client-side certificate)
> >
> > I have run a similar command as I did on the remote servers, replacing
> > ldap://localldapserver by ldaps://ldap.mycompany.com:
> > authconfig --enableldap --enableldapauth --enablecache
> > --enablemkhomedir --ldapserver=ldaps://ldap.mycompany.com
> > --enableldaptls --ldapbasedn=dc=mycompany,dc=com --passalgo=sha256
> > --updateall
> >
> > and I put the CA certificate at the right place.
> > (either explicitly pointing to it TLS_CACERT or downloading it to
> > /etc/openldap/cacerts vi system-configuration-authentication)
> >
> > In all my various tests,
> > ldapsearch -x
> > returns the content of the remote LDAP, so I guess that at least
> > openldap clients are properly configured.
> >
> > But when I try:
> > getent passwd
> > the command hangs.
> 
> I've never done ldaps to port 636, only TLS to port 389, so some of my
> comments may be slightly off-base in your situtation.
> 
> Here are the changes I'd review:
> 
>   1. After installing the CA cert, did you create a hash link? E.g.,
> 
>      /usr/sbin/cacertdir_rehash /etc/openldap/cacerts
> 
>   2. Make sure you know the difference between /etc/ldap.conf and
>      /etc/openldap/ldap.conf. The former is used by nss_ldap, the
>      latter by openldap clients.
> 
>   3. Does /etc/ldap.conf have all the correct TLS entries, e.g.,
> 
>      ssl start_tls
>      tls_checkpeer yes
>      tls_cacertdir /etc/openldap/cacerts
> 
>      Additionally, I've had trouble using the "uri" directive
>      in /etc/ldap.conf, esp. with encrypted connections. The
>      "host" and "port" directives have worked better for me.
> 
>   4. Does /etc/pam.d/system-auth have pam_ldap.so entries for
>      auth, account, password, and session?
> 
>   5. Are you running nscd? (I've found it indispensable when working
>      with network auth.)
> 
>   6. Review the changes to /etc/nsswitch.conf to make sure that
>      the passwd, shadow, and group entries all query ldap.
----
tls_checkpeer yes could cause problems - always depends

nscd makes things harder to troubleshoot

uri ldap://some_fqdn/
or
uri ldaps://some_fqdn/

Craig



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the CentOS mailing list